Hope you all are safe and doing good.
In our last article we have discussed on the overview of Configure Custom RBAC Role Using Azure portal. Today in this article, we will continue with RBAC and see how to configure RBAC with a custom role using Power Shell. With this article, I am going to end our journey with Azure Identity And Access Management Series. After this I am going to start a new series on Azure Storage.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Custom Role In Azure :
As we discussed in previous article, If the Azure built-in roles doesn’t meet the requirement of our organization, we can create our own custom roles. create custom roles using Azure PowerShell.
Before we start creating custom Role using power Shell let’s check we have following setup with us.
- Permissions to create custom roles, such as Owner or User Access Administrator
- Azure Cloud Shell or Azure PowerShell
List Existing Azure Roles :
As we know, Azure provides many built-in Roles to fulfil all basic nees of any organization. Some times those built-in roles does not fulfil the requirement for that reason, we are creating custom role. If we want to see all available built-in + Custom Roles in our subscription then use the following powershell script.
Get-AzRoleDefinition | FT Name, IsCustom
If we want to see a particular Role, for example, let’s see our custom role “Manas KJ Restriccted Role“, which we have created in our last article in JSON format. We can also down load the JSON file , if e want to reuse the definition file by providing the path of location, where you want to save the file.
Get-AzRoleDefinition -Name "Manas KJ Restriccted Role" | ConvertTo-Json
Create New Custom Role :
To create a custom role, use the New-AzRoleDefinition command There are following two methods of structuring the role.
- PSRoleDefinition object
- A JSON template
In this article, we will use the 2nd method ” A JSON template “. We have discussed in our previous article that, when we create a custom Role, Resource Provider taken a major role. However it is important to know all the possible actions from the resource providers because Actions are the heart of a role and each action of a resource provider are specific to a resources under that resource provider. If you want more on Resource Provider see following articles.
By using Get-AzProviderOperation command we can get all available actions of a Resource Provider and then select those actions, which are required for our requirement.
Let’s get actions for virtual machine because we will create a custom role which will be applicable for VM as we did in our previous article but here we will do so using power shell command.
Get-AzProviderOperation "Microsoft.Compute/virtualMachines/*" | FT OperationName, Operation, Description -AutoSize
Now let’s add resource group related actions so that user can access the resource group and to find those actions, let’s get it from it’s resource provider by using following power shell command.
Get-AzProviderOperation "Microsoft.Resources/Subscriptions/resourceGroups/*" | FT OperationName, Operation, Description -AutoSize
When we are planning to create a new custom role, the easiest way to starts is, download the JSON file of an excising role and then customizes it with required actions. Edit the attributes to add the
AssignableScopes that we want, and then save the changes and create a new one with different name. In this case we will use the JSON of “Manas KJ Restriccted Role” custom role, which we have created in our last article.
After adding the following action to the existing actions, now the JSON file is looks like as in the following figure.
We can also add new actions to existing roles by PowerShell command. The following example adds the
Microsoft.Insights/diagnosticSettings/* operation to the Virtual Machine Operator custom role.
$role = Get-AzRoleDefinition "Virtual Machine Operator" $role.Actions.Add("Microsoft.Insights/diagnosticSettings/*")
Set-AzRoleDefinition -Role $role
Let’s save the file with a different name like “Manas-KJ-Restricted-Role-Using-PowerShell .JSON” . Now we are ready with our new custom role definition file.
To Create this new custom role (Manas KJ Restricted Role Using Power Shell ) to the subscriptions, use the New-AzRoleDefinition command and specify the JSON role definition file as specified here.
New-AzRoleDefinition -InputFile "C:\MANAS DATA\AZURE\Azure_AZ-104\Azure IAM ( Azure AD)\Azure RBAC\Custom Role Using PS\Manas-KJ-Restricted-Role-Using-PowerShell.json"
Configure Assignable Scope :
After adding our new custom role, if the assignable scopes configured for our custom role to Resource Group and we want to configure it to Subscription label, e.g. to adds an Azure subscription to the assignable scopes of our Manas KJ Restricted Role Using Power Shell custom role then following powershell command can be use to achieve this.
Get-AzSubscription -SubscriptionName Visual Studio Enterprise – MPN $role = Get-AzRoleDefinition "Manas KJ Restricted Role Using Power Shell" $role.AssignableScopes.Add("/subscriptions/********************") Set-AzRoleDefinition -Role $role
More PowerShell Command To Manage Azure Role :
1) To update the existing role using JSON file use
Set-AzRoleDefinition PowerShell command.
Set-AzRoleDefinition -InputFile "C:\CustomRoles\Manas******.json"
2) To delete a custom role, use the
Get-AzRoleDefinition "Virtual Machine Operator"
Get-AzRoleDefinition "Virtual Machine Operator" | Remove-AzRoleDefinition
Add Azure Role Assignments :
Azure role-based access control (Azure RBAC) is the authorization system we use to manage access to Azure resources. To grant access, we assign roles to users, groups, service principals, or managed identities at a particular scope. In this section we will describes how to assign our custom role (Manas KJ Restricted Role Using Power Shell) using Azure PowerShell.
To add and delete a new role assignment we need following configuration with us as prerequisites.
Microsoft.Authorization/roleAssignments/deletepermissions, such as User Access Administrator or Owner
- PowerShell in Azure Cloud Shell or Azure PowerShell
Get object IDs :
Before add or remove role assignments, we might need to specify the unique ID of an object (User ID, Group ID, Service Application ID). The ID has the format:
00000000-0000-0000-0000-000000000000. we can get the ID using the Azure portal or Azure PowerShell. Following powershell commands can be use to get different type of object ID.
User Object :
(Get-AzADUser -DisplayName ).id
Group Object :
Get-AzADGroup -SearchString <group_name_in_quotes> (Get-AzADGroup -DisplayName <group_name_in_quotes>).id
Service Application Object :
(Get-AzADServicePrincipal -DisplayName ).id
In this example, we will assign the role to a
Group (MSTech) at
Resource Group (RBAC-RG) scope.
NOTE: we can assign roles to any object (User, Group and Service Application) at any scope (Management Group, Subscription, Resource Group and Resource).
Now we have following information with us to add new role assignment. Let’s add new role assignment and see the result 🙂 .
Object ID (MSTech Group) : a74d42f7-eb40-4af1-****-d94718e3f710
Role Definition Name : Manas KJ Restricted Role Using Power Shell
Subscriptions ID : 04c1a0a5-787a-4c18-****-a21878c23819
Let’s use following PowerShell command line to add new role assignment at subscription scope.
New-AzRoleAssignment -ObjectId a74d42f7-eb40-4af1-****-d94718e3f710 -RoleDefinitionName "Manas KJ Restricted Role Using Power Shell" -Scope /subscriptions/04c1a0a5-787a-4c18-****-a21878c23819
As we can see in the above figure after executing the command it has created the new role and we can see the same in portal as well.
Remove Role Assignment :
As we have added new role assignment, we can also remove role assignment using PowerShell command. The following example removes the “Manas KJ Restricted Role Using Power Shell“ role from “MSTech” group at Subscription scope.
Remove-AzRoleAssignment -ObjectId a74d42f7-eb40-4af1-****-d94718e3f710 -RoleDefinitionName "Manas KJ Restricted Role Using Power Shell" -Scope /subscriptions/04c1a0a5-787a-4c18-****-a21878c23819
With the above information, I am concluding this article. I hope this is informative to you. Please let me know if I missed anything important or if my understanding is not up to the mark.
As we discussed above, I am going to end our journey with Azure Identity And Access Management Series. Next I am stating a new series on Azure Storage. I hope like my previous series Learn Basics Of Azure Networking In 60 Hours and Azure Identity And Access Management Series, you will support me and provide me your inputs to our next series on Azure Storage 🙂 .
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
If you have any suggestion / feedback / doubt, you are most welcome. Stay tuned on Knowledge-Junction, will come up with more such articles.
Thanks for reading 🙂 .