Azure Governance – Azure RBAC (Role Based Access Control)

RBAC (Role Based Access Control) lets you manage the access of resources in Azure. Role-based access is implemented by IAM (identity and access management) blade in the Azure portal and this blade is available at Management Group, Subscription, Resource Group, and Individual Azure Resource level. RBAC is also inherited by the child resources, for example, any access assigned to a Management Group level will be inherited by its Subscriptions and all the Resource Groups and the individual Azure Resources under that subscription.

RBAC  Scope and Inheritance
Identity & Access Control (IAM) blade in Azure portal

Access Control can be done by using following information

  • Role – Scope of the role – Owner, Reader, Contributor
  • Assign Access to – Azure AD user, group, Service Principal or system assigned managed identity
  • Select – A user (UPN) or a Group 
Role Assignment

Let’s go depper and understand the RBAC roles avilable in Azure:

  • Built-In Roles – By default there are 70+ builtin Azure roles and these roles can be assigned based on the requirements. A detailed list of these roles are available here
  • Custom Roles – Custom roles can be created by an Azure Administrator when the built-in roles aren’t enough to restrict the access. A detailed information for creating custom roles are available here 

Note: A Custom role can only be assigned to an Azure subscription and a maximum of 2000 custom roles can be created

Let’s understand how do we see what actions can be performed by the built-in roles and we will then customize the built-in role to create a new custom role. following PowerShell cmdlet will display the information about an existing role

Custom Role Example –  Create a custom role for a read only admin to have the ability to raise Micrososft support tickets

We will now modify the built-in reader role to add permission to raise support tickets, the action will be added as  “Microsoft.Support/*” and the subscription ID of the subscription where this role will be applied

We will now apply this custom role by using the following powershell command:

Once the role is created, this will be available under the IAM Blade where the role will be displayed as a CustomRole and icon box will be in orange  colour

You can also delete a custom role if its not required, hwoever you can only delete a custom role if its not being used.

You can also view all the custom roles created in your subscription