Role-Based Access Control (RBAC) in Microsoft Azure

Summary

In this lab, you will explore the built-in Role-Based Access Control (RBAC) capabilities in Microsoft Azure. You will create new users in Azure Active Directory (AAD) and place them in a user group. After that, you will assign different roles to the group and enable various levels of access to resources in Microsoft Azure.

Each exercise below builds upon the previous one. You should start each new exercise from the last step of the previous exercise unless it is explicitly written otherwise.

Learning Objectives

After completion of this lab, you will be able to:

Prerequisites

To complete this lab, you will need the following:

Exercise #1: Creating Users in Azure Active Directory (AAD)

In this exercise, you will create new users in Azure Active Directory (AAD).

Steps

1. Sign into the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
2. Click on the button in the left-hand navigation
3. Click on the button in the Azure Active Directory (AAD) blade
4. Click on the button on the top of the All users blade
5. In the New user blade, fill in the following in the form:
   Username → test_user01
   Name → Test User 01
6. Select the Show Password checkbox to show the password
7. Copy the password for later use
8. Click on the button
9. Repeat steps 4 through 8 to create a second user with the following information:
   Username → test_user02
   Name → Test User 02
10.  Milestone step:  At this point, you have learned how to create new users in Azure Active Directory (AAD)

Exercise #2: Creating Groups in Azure Active Directory (AAD)

In this exercise, you will create a new security group in Azure Active Directory (AAD).

Steps

1. Sign in to the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
2. Click on the button in the left-hand navigation
3. Click on the button in the Azure Active Directory (AAD) blade
4. Click on the button on the top of the All groups blade
5. In the New group blade, fill in the following in the form:
   Group type → Security
   Group name → TestGroup
6. Click on the Owners row
7. FindTipYou can use the search box on top of the list to find your user your user and click on it
8. Click on the button
9. Click on the Members row
10. FindTipYou can use the search box on top of the list to find the user Test User 01 and click on it
11. Repeat step 10 for Test User 02
12. Click on the button
13.  Milestone step:  At this point, you have learned how to add owner and members to a new Azure Active Directory (AAD) security group
14. Click on the button to create the group
15.  Milestone step:  At this point, you have learned how to create a group in Azure Active Directory (AAD)

Exercise #3: Assign Roles to the Security Group

In this exercise, you will create two new resource groups and assign different roles to the security group for each one of the resource groups.

Steps

1. Sign into the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
2. Click on in the upper left corner right under the logo
3. In the search box search for Resource group and press Enter
4. Click on the button
5. On the Basics tab, fill in the following information
   Resource group → read-only-rg
   Region → West US 2
6. Click on the button
7. On the Tags tab, add the following tags:
   Role → rbac-test
   Lab → securitylab01
   Owner → <your name>
   OwnerEmail → <your email>
8. Click on the button
9. Review the summary and click on the button
10. Wait until the resource group is created
11. Repeat steps 2 through 10 to create a second resource group with the name read-write-rg
12. Click on the button in the left-hand navigation
13. Find the read-only-rg resource group from the list and click on it
14. Click on the   button in the Resource group blade
15. Click on the button on top of the blade and select Add role assignment
16. In the Add role assignment blade, select Reader for the Role
17. FindTipYou can use the search box under Select label to find the group TestGroup and click on it
18. Click on the button to save your changes
19. Click on the tab to verify your changes
20.  Milestone step:  At this point, you have learned how to assign a Reader role to a resource in Microsoft Azure
21. Click on the button in the left-hand navigation
22. Find the read-write-rg resource group from the list and click on it
23. Click on the   button in the Resource group blade
24. Click on the button on top of the blade and select Add role assignment
25. In the Add role assignment blade, select Contributor for the Role
26. FindTipYou can use the search box under Select label to find the group TestGroup and click on it
27. Click on the button to save your changes
28. Click on the tab to verify your changes
29.  Milestone step:  At this point, you have learned how to assign a Contributor role to a resource in Microsoft Azure

Exercise #4: Test the Access to the Resource Groups

In this exercise, you will test the access to the resource groups you created.

Steps

1. Sign in to the Microsoft Azure Management Portal at http://portal.azure.com using the test_user01 user account
   
   Note: You will need to set up new password if this is the first time you are signing in with this user.
2. Click on the button in the left-hand navigation
3.  Milestone step:  Note that the test_user01 user account is able to see only the following two resource groups: read-only-rg and read-write-rg
4. Click on in the upper left corner right under the logo
5. In the search box search for Storage account and press Enter
6. Click on the button
7. On the Basics tab in section, Project Details select the following information for the resource group
   Resource group → read-only-rg
8.  Milestone step:  Note the error message under the Resource group field. You don’t have Write permissions to the resource group and cannot create resources in it
9. On the Basics tab in section, Project Details change the selection for the resource group to
   Resource group → read-write-rg
10.  Milestone step:  Note the error message under the Resource group field disappeared. You have Write permissions to the resource group and can create resources in it