Cloud Vendor | Microsoft Azure |
Proficiency Level | Cloud Enthusiast |
Tags | Azure StorageStorage BlobWeb Server |
Summary
In this lab, you will explore the built-in Role-Based Access Control (RBAC) capabilities in Microsoft Azure. You will create new users in Azure Active Directory (AAD) and place them in a user group. After that, you will assign different roles to the group and enable various levels of access to resources in Microsoft Azure.
Each exercise below builds upon the previous one. You should start each new exercise from the last step of the previous exercise unless it is explicitly written otherwise.
Learning Objectives
After completion of this lab, you will be able to:
- Create users in Azure Active Directory (AAD)
- Create user groups in Azure Active Directory (AAD) and add members to them
- Assign roles to groups
- Assign roles to individual users
Prerequisites
To complete this lab, you will need the following:
- Reliable internet connection
- A work, school or personal Microsoft Account used to access Microsoft Azure Management Portal
- A subscription for Microsoft Azure
Exercise #1: Creating Users in Azure Active Directory (AAD)
In this exercise, you will create new users in Azure Active Directory (AAD).
Steps
- Sign into the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
- Click on the
button in the left-hand navigation
- Click on the
button in the Azure Active Directory (AAD) blade
- Click on the
button on the top of the All users blade
- In the New user blade, fill in the following in the form:
Username →test_user01
Name →Test User 01
- Select the Show Password checkbox to show the password
- Copy the password for later use
- Click on the
button
- Repeat steps 4 through 8 to create a second user with the following information:
Username →test_user02
Name →Test User 02
- Milestone step: At this point, you have learned how to create new users in Azure Active Directory (AAD)
Exercise #2: Creating Groups in Azure Active Directory (AAD)
In this exercise, you will create a new security group in Azure Active Directory (AAD).
Steps
- Sign in to the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
- Click on the
button in the left-hand navigation
- Click on the
button in the Azure Active Directory (AAD) blade
- Click on the
button on the top of the All groups blade
- In the New group blade, fill in the following in the form:
Group type →Security
Group name →TestGroup
- Click on the Owners row
- Find your user and click on it
- Click on the
button
- Click on the Members row
- Find
Test User 01
and click on it - Repeat step 10 for
Test User 02
- Click on the
button
- Milestone step: At this point, you have learned how to add owner and members to a new Azure Active Directory (AAD) security group
- Click on the
button to create the group
- Milestone step: At this point, you have learned how to create a group in Azure Active Directory (AAD)
Exercise #3: Assign Roles to the Security Group
In this exercise, you will create two new resource groups and assign different roles to the security group for each one of the resource groups.
Steps
- Sign into the Microsoft Azure Management Portal at http://portal.azure.com using your Microsoft Account
- Click on
in the upper left corner right under the logo
- In the search box search for Resource group and press Enter
- Click on the
button
- On the Basics tab, fill in the following information
Resource group →read-only-rg
Region →West US 2
- Click on the
button
- On the Tags tab, add the following tags:
Role →rbac-test
Lab →securitylab01
Owner →<your name>
OwnerEmail →<your email>
- Click on the
button
- Review the summary and click on the
button
- Wait until the resource group is created
- Repeat steps 2 through 10 to create a second resource group with the name
read-write-rg
- Click on the
button in the left-hand navigation
- Find the
read-only-rg
resource group from the list and click on it - Click on the
button in the Resource group blade
- Click on the
button on top of the blade and select Add role assignment
- In the Add role assignment blade, select
Reader
for the Role - Find
TestGroup
and click on it - Click on the
button to save your changes
- Click on the
tab to verify your changes
- Milestone step: At this point, you have learned how to assign a Reader role to a resource in Microsoft Azure
- Click on the
button in the left-hand navigation
- Find the
read-write-rg
resource group from the list and click on it - Click on the
button in the Resource group blade
- Click on the
button on top of the blade and select Add role assignment
- In the Add role assignment blade, select
Contributor
for the Role - Find
TestGroup
and click on it - Click on the
button to save your changes
- Click on the
tab to verify your changes
- Milestone step: At this point, you have learned how to assign a Contributor role to a resource in Microsoft Azure
Exercise #4: Test the Access to the Resource Groups
In this exercise, you will test the access to the resource groups you created.
Steps
- Sign in to the Microsoft Azure Management Portal at http://portal.azure.com using the
test_user01
user account
Note: You will need to set up new password if this is the first time you are signing in with this user. - Click on the
button in the left-hand navigation
- Milestone step: Note that the
test_user01
user account is able to see only the following two resource groups:read-only-rg
andread-write-rg
- Click on
in the upper left corner right under the logo
- In the search box search for Storage account and press Enter
- Click on the
button
- On the Basics tab in section, Project Details select the following information for the resource group
Resource group →read-only-rg
- Milestone step: Note the error message under the Resource group field. You don’t have Write permissions to the resource group and cannot create resources in it
- On the Basics tab in section, Project Details change the selection for the resource group to
Resource group →read-write-rg
- Milestone step: Note the error message under the Resource group field disappeared. You have Write permissions to the resource group and can create resources in it
Last Update: October 23, 2019