Role-Based Access Control

Aduda Shem

5 min read
Role-Based Access Control

Lab scenario

You have been asked to create a proof of concept showing how Azure users and groups are created. Also, how role-based access control is used to assign roles to groups. Specifically, you need to:

  • Create a Senior Admins group containing the user account of Joseph Price as its member.
  • Create a Junior Admins group containing the user account of Isabel Garcia as its member.
  • Create a Service Desk group containing the user account of Dylan Williams as its member.
  • Assign the Virtual Machine Contributor role to the Service Desk group.
  1. In the Search resources, services, and docs text box at the top of the Azure portal page, type Azure Active Directory and press the Enter key.
  2. On the Overview blade of the Azure Active Directory tenant, in the Manage section, select Users, and then select + New user.
  3. On the New User blade, ensure that the Create user option is selected, and specify the following settings:
  4. Click on the copy icon next to the User name to copy the full user.
  5. Ensure that the Auto-generate password is selected, select the Show password checkbox to identify the automatically generated password. You would need to provide this password, along with the user name to Joseph.
  6. Click Create.
  7. Refresh the Users | All users blade to verify the new user was created in your Azure AD tenant.

Use the Azure portal to create a Senior Admins group and add the user account of Joseph Price to the group.

In this task, you will create the Senior Admins group, add the user account of Joseph Price to the group, and configure it as the group owner.

  1. In the Azure portal, navigate back to the blade displaying your Azure Active Directory tenant.
  2. In the Manage section, click Groups, and then select + New group.
  3. On the New Group blade, specify the following settings (leave others with their default values):

Group type β€” Security

Group Name β€” Senior Admins

Membership Type β€” Assigned

  1. Click the No owners selected link, on the Add owners blade, select Joseph Price, and click Select.
  2. Click the No members selected link, on the Add members blade, select Joseph Price, and click Select.
  3. Back on the New Group blade, click Create.

Create a Junior Admins group containing the user account of Isabel Garcia as its member.

Task 1: Use PowerShell to create a user account for Isabel Garcia.

In this task, you will create a user account for Isabel Garcia by using PowerShell.

  1. Open the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, select PowerShell and Create storage.

Ensure PowerShell is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.

Use PowerShell to create the Junior Admins group and add the user account of Isabel Garcia to the group.

In this task, you will create the Junior Admins group and add the user account of Isabel Garcia to the group by using PowerShell.

Create a Service Desk group containing the user account of Dylan Williams as its member.

Task 1: Use Azure CLI to create a user account for Dylan Williams.

In this task, you will create a user account for Dylan Williams.

  1. In the drop-down menu in the upper-left corner of the Cloud Shell pane, select Bash, and, when prompted, click Confirm.
  2. In the Bash session within the Cloud Shell pane, run the following to identify the name of your Azure AD tenant:

Task 2: Use Azure CLI to create the Service Desk group and add the user account of Dylan to the group.

In this task, you will create the Service Desk group and assign Dylan to the group.

  1. In the same Bash session within the Cloud Shell pane, run the following to create a new security group named Service Desk.

Assign the Virtual Machine Contributor role to the Service Desk group.

In this exercise, you will complete the following tasks:

  • Task 1: Create a resource group.
  • Task 2: Assign the Service Desk Virtual Machine Contributor permissions to the resource group.

Task 1: Create a resource group

  1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Resource groups and press the Enter key.
  2. On the Resource groups blade, click + Create and specify the following settings:

Subscription name β€” the name of your Azure subscription

Resource group name β€” AZ500Lab01

Location β€” East US

3. Click Review + create and then Create.

4. Back on the Resource groups blade, refresh the page and verify your new resource group appears in the list of resource groups.

Task 2: Assign the Service Desk Virtual Machine Contributor permissions.

  1. On the Resource groups blade, click the AZ500LAB01 resource group entry.
  2. On the AZ500Lab01 blade, click Access control (IAM) in the middle pane.
  3. On the AZ500Lab01 | Access control (IAM) blade, click + Add and then, in the drop-down menu, click Add role assignment.
  4. On the Add role assignment blade, specify the following settings and click Next after each step:

Role in the search tab β€” Virtual Machine Contributor

Assign access to (Under Members Pane) β€” User, group, or service principal

Select (+Select Members) β€” Service Desk

  1. Click Review + assign twice to create the role assignment.
  2. From the Access control (IAM) blade, select Role assignments.
  3. On the AZ500Lab01 | Access control (IAM) blade, on the Check access tab, in the Search by name or email address text box, type Dylan Williams.
  4. In the list of search results, select the user account of Dylan Williams and, on the Dylan Williams assignments β€” AZ500Lab01 blade, view the newly created assignment.
  5. Close the Dylan Williams assignments β€” AZ500Lab01 blade.
  6. Repeat the same last two steps to check access for Joseph Price.