Task: Configure RBAC for a Resource Group

Video: Role-Based Access Control

Estimated time: 10 minutes

Goal

The goal of this task is to verify the actions permitted a user with limited roles. This includes assigning resource group and resource level roles to a user, and verifing the permissions of that user.

Pre-requisites

1. Non-production Azure subscription
2. Resource group named task-rbac-rg
3. Several resources in the task-rbac-rg resource group
4. An Azure AD cloud user named tasks for testing access

Requirements

1. Requirement 1: Assign resource group roles
2. Requirement 2: Assign resource roles

Pre-requisite setup

For this task, you will need to start with a resource group named task-rbac-rg. The resource group should contain the following resources:

1. A route table named rbac-rt
2. A network security group (NSG) named rbac-nsg
3. A virtual network named rbac-vnet
4. A Standard_D2S_V3 VM named rbac-vm using the Ubuntu 18.04 marketplace image, on the default subnet of the rbac-vnet virtual network
5. A test user named tasks in your Azure AD tenant

You can deploy the resources to your subscription by running the following from a bash cloud shell:

curl https://inedemoassets.blob.core.windows.net/taskfiles/azure_admin/deploy-3509T060-pre.sh | sh

You can create a new Azure AD user from the bash cloud shell by running the following command (substitute your values for the domain name and password):

az ad user create --display-name tasks --password <your password> --user-principal-name tasks@<your domain> --force-change-password-next-login false

Example

az ad user create --display-name tasks --password B@dPa55word! --user-principal-name tasks@inedemos.onmicrosoft.com --force-change-password-next-login false

Requirement 1: Assign resource group roles

For this requirement you will assign roles on the task-rbac-rg resource group to the tasks Azure AD cloud user and verify their permissions. Perform the following steps to complete this requirement:

• Assign the Reader role to the tasks user on the task-rbac-rg resource group.
• Assign the Network-Contributor role to the tasks user on the task-rbac-rg resource group.
• Open an incognito/private browser window and log in to the Azure portal (https://portal.azure.com) as the tasks user.
• Assign the rbac-nsg network security group to the Subnet-1 subnet of the rbac-vnet virtual network.
• Attempt to stop the rbac-vm virtual machine.
• Close the incognito/private browser window.

Requirement 2: Assign resource roles

For the requirement you will assign the Contributor role on the rbac-vm virtual machine to the tasks Azure AD cloud user. You will then log in to the Azure portal and attempt to stop the virtual machine. To complete this requirement:

• Assign the Contributor role to the tasks user on the rbac-VM virtual machine.
• Open an incognito/private browser window and log in to the Azure portal (https://portal.azure.com) as the tasks user.
• Attempt to stop the rbac-vm virtual machine.
• Close the incognito/private browser window.

Cleanup

When you have completed this task, delete the task-rbac-rg resource group.