Tutorial / Cram Notes
Azure Role-Based Access Control (RBAC) is a model that allows organizations to manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. While there are many built-in roles provided by Azure, there may be occasions when the predefined roles do not fit the exact needs of your organization. In such cases, custom roles can be created in Azure to provide a tailored set of permissions.
Understanding Custom Roles
Custom roles can have any combination of permissions associated with them, with the ability to fine-tune exactly what actions a user assigned the role is permitted to perform. These roles can be scoped at multiple levels, from a management group down to an individual resource.
Prerequisites for Creating Custom Roles
- Adequate permissions such as Owner or User Access Administrator on the subscription, resource group, or service to apply the custom role
- Understanding of Azure RBAC and the actions, not actions, and data actions for Azure resources
Creating Custom Roles in Azure
Before you can create a custom role, you should identify the set of actions you need to assign. Azure permissions are granular, and permissions can be specified to include actions (what actions can be performed), not actions (exclusions), data actions (for data operations), and not data actions.
Using the Azure Portal to Create a Custom Role
- Navigate to the Azure portal.
- Find the Azure Active Directory or subscription where you want to create the role.
- Select “Access control (IAM)” and then click on “Add” and select “Add custom role”.
- On the “Basics” tab, enter a name and description for the role.
- On the “Permissions” tab, add the appropriate permissions by selecting from available actions, data actions, not actions, and not data actions.
- On the “Assignable Scopes” tab, specify where this role can be assigned.
- Review and create the custom role.
Using Azure PowerShell to Create a Custom Role
$role = @{
Name = “Custom Role”
Id = “Unique GUID”
IsCustom = $true
Description = “Custom role description”
Actions = @(
“Microsoft.Resources/subscriptions/resourceGroups/read”,
“Microsoft.Insights/alertRules/*”
)
NotActions = @(
“Microsoft.Resources/subscriptions/resourceGroups/write”
)
AssignableScopes = @(
“/subscriptions/your_subscription_id”
)
}
New-AzRoleDefinition @role
Using Azure CLI to Create a Custom Role
az role definition create –role-definition ‘{
“Name”: “Custom Role”,
“Description”: “Custom role description”,
“Actions”: [
“Microsoft.Resources/subscriptions/resourceGroups/read”,
“Microsoft.Insights/alertRules/*”
],
“NotActions”: [
“Microsoft.Resources/subscriptions/resourceGroups/write”
],
“AssignableScopes”: [
“/subscriptions/your_subscription_id”
]
}’
Comparing Custom Roles with Built-in Roles
| Feature | Custom Roles | Built-in Roles |
|---|---|---|
| Predefined Permissions | No | Yes |
| Customizable Permissions | Yes | No |
| Assignable Scopes | Yes | Yes |
| Default Assignment | No | Yes |
| Global Availability | No | Yes |
Custom roles offer a greater flexibility over built-in roles by allowing you to create unique permission sets tailored to your organization’s needs. Built-in roles, on the other hand, offer a quick and easy way to assign common sets of permissions that cater to most standard roles within Azure.
Best Practices
- Reuse built-in roles whenever possible to reduce management complexity
- Limit custom roles to only the permissions necessary for users to perform their jobs
- Regularly review and audit custom roles to ensure they are up-to-date with the principle of least privilege
- Use descriptive names and descriptions for custom roles to clearly identify their purpose
Conclusion
Custom Azure roles play an important role in fine-tuning access controls and ensuring that the principles of least privilege are followed within an Azure environment. By understanding how to create and manage custom roles, organizations can ensure that users only have the access they need to perform their functions, which is an essential aspect of Azure security and compliance, especially for candidates studying for the SC-300 Microsoft Identity and Access Administrator exam.
Practice Test with Explanation
True or False: Custom Azure roles can be defined at both the management group and subscription levels.
True
Custom Azure roles can be created at the management group level and inherited by all subscriptions within that management group, or they can be defined at an individual subscription level.
When creating a custom Azure role, which JSON property specifies the permissions included in the role?
- A) Actions
- B) NotActions
- C) DataActions
- D) AssignableScopes
A) Actions
The “Actions” JSON property specifies the set of operations that the role allows to be performed.
True or False: The “NotActions” property in a custom Azure role definition is used to explicitly allow actions that are not included in the “Actions” property.
False
The “NotActions” property is used to exclude certain actions from the allowed actions specified in the “Actions” property of the role definition.
Which of the following are valid properties in a custom Azure role definition? (Select all that apply)
- A) Name
- B) IsCustom
- C) Description
- D) RoleType
A) Name, C) Description, D) RoleType
“Name,” “Description,” and “RoleType” are all valid properties in a custom Azure role definition. “IsCustom” is not a defined property in Azure role definitions.
True or False: Once a custom Azure role is created, it cannot be updated.
False
Custom Azure roles can be updated after creation. However, care must be taken to ensure that no critical privileges are inadvertently removed or excessively granted.
What is the maximum number of custom roles that can be defined within an Azure AD tenant?
- A) 5,000
- B) 2,000
- C) 500
- D) No limit
A) 5,000
You can define up to 5,000 custom roles within an Azure AD tenant. This limitation is subject to change, so it’s advisable to check the latest Azure documentation.
Which PowerShell cmdlet can be used to create a custom Azure role?
- A) New-AzureRole
- B) Set-AzureRoleDefinition
- C) New-AzureRmRoleDefinition
- D) Create-AzureCustomRole
C) New-AzureRmRoleDefinition
The cmdlet “New-AzureRmRoleDefinition” is used to create custom Azure roles using PowerShell.
True or False: In a custom Azure role definition, the “AssignableScopes” property defines the operations that a role can perform.
False
The “AssignableScopes” property defines the scopes, such as management groups or subscriptions, where the custom role can be assigned, not the operations it can perform.
Which of the following is a requirement for deleting a custom Azure role?
- A) No assignments of the role exist
- B) The role must have been created more than 30 days ago
- C) The role has to be marked as “deletable”
- D) The role must have “Actions” set to null
A) No assignments of the role exist
A custom Azure role cannot be deleted if there are still assignments of that role. All assignments must be removed before the role can be deleted.
True or False: Azure Custom Roles can be used within Azure AD to manage resources at a granular level.
True
Azure Custom Roles allow for granular control over resources by defining specific actions that can be taken. They are an essential tool for segregating duties within Azure resource management.
When defining a custom Azure role, which property should be used to identify read-only permissions?
- A) “DataActions”
- B) “NotDataActions”
- C) “Actions” with Microsoft.Authorization/*/read
- D) “AssignableScopes” with read-only value
C) “Actions” with Microsoft.Authorization/*/read
The “Actions” property specifies the allowed operations. For read-only permissions, you would include “Microsoft.Authorization/*/read” in the “Actions” array.
Interview Questions
What is a custom role in Azure RBAC?
A custom role is a role that an administrator can create in Azure RBAC to meet their organization’s specific needs.
How are custom roles different from built-in roles in Azure RBAC?
Custom roles in Azure RBAC are different from built-in roles because they are created specifically to meet an organization’s unique requirements.
What are the benefits of using custom roles in Azure RBAC?
The benefits of using custom roles in Azure RBAC include the ability to grant users only the permissions they need to perform their tasks, reducing the risk of unauthorized access, and improving overall security.
How do you create a custom role in Azure RBAC?
To create a custom role in Azure RBAC, an administrator can use the Azure portal, Azure PowerShell, or Azure CLI.
What is a role definition in Azure RBAC?
A role definition is a collection of permissions that can be assigned to a user, group, or service principal in Azure RBAC.
What are the three types of permissions that can be included in a role definition in Azure RBAC?
The three types of permissions that can be included in a role definition in Azure RBAC are actions, notActions, and dataActions.
What is an action in Azure RBAC?
An action in Azure RBAC is a specific operation that can be performed on a resource, such as read or write.
What is a notAction in Azure RBAC?
A notAction in Azure RBAC is a specific operation that cannot be performed on a resource.
What is a dataAction in Azure RBAC?
A dataAction in Azure RBAC is a specific operation that can be performed on a specific data element within a resource.
How can you assign a custom role to a user or group in Azure RBAC?
To assign a custom role to a user or group in Azure RBAC, an administrator can use the Azure portal, Azure PowerShell, or Azure CLI.
Can a custom role be edited after it has been created in Azure RBAC?
Yes, a custom role can be edited after it has been created in Azure RBAC.
What is the difference between a read-only custom role and a read-write custom role in Azure RBAC?
A read-only custom role allows a user to view resources but not modify them, while a read-write custom role allows a user to view and modify resources.
Can a custom role be deleted in Azure RBAC?
Yes, a custom role can be deleted in Azure RBAC.
How can an administrator test a custom role in Azure RBAC?
An administrator can test a custom role in Azure RBAC by assigning it to a user or group and then attempting to perform the actions specified in the role definition.
What is the importance of auditing custom roles in Azure RBAC?
Auditing custom roles in Azure RBAC is important to ensure that the permissions granted by the role are appropriate and to track any changes made to the role over time.
Configuring custom Azure roles can be quite tricky. Does anyone have a step-by-step guide?
Thanks for this blog post!
Is there a limit to the number of custom roles you can create in Azure?
While configuring roles, I’m facing an issue with the permissions. Some of them are not being applied.
Has anyone passed the SC-300 exam through self-study only?
Appreciate the insights shared in this blog!
How can I validate a custom role after creating it?
I’m having trouble understanding the scope of custom roles.