WEBVTT 0:00:02.720000 --> 0:00:09.280000 Hi, in this video, we're going to take a look at custom roles in Azure. 0:00:09.280000 --> 0:00:12.880000 I have in other videos covered the built-in roles, and there are many 0:00:12.880000 --> 0:00:17.720000 built-in roles. But there's times where you may want to be more granular 0:00:17.720000 --> 0:00:22.860000 or more precise in the way that you assign rights or permissions through 0:00:22.860000 --> 0:00:26.460000 these roles. And so what we're going to do in this video is take a look 0:00:26.460000 --> 0:00:33.080000 at how to define and assign custom roles in the Azure environment, talk 0:00:33.080000 --> 0:00:37.280000 about both of those, and then I am going to go through a demonstration. 0:00:37.280000 --> 0:00:41.280000 Let's start out by talking about defining custom roles. 0:00:41.280000 --> 0:00:48.680000 Roles are defined as a set of actions, and actions are really operations 0:00:48.680000 --> 0:00:54.580000 that can be taken on particular resource providers and resources. 0:00:54.580000 --> 0:01:00.960000 The way that activity, actions, operations work in Azure is that you have 0:01:00.960000 --> 0:01:02.140000 resource providers. 0:01:02.140000 --> 0:01:07.220000 So for example, you might have Microsoft .com put is a resource provider. 0:01:07.220000 --> 0:01:10.800000 And then underneath of the resource provider, you have resources. 0:01:10.800000 --> 0:01:14.320000 So for example, if you're working with virtual machines, you may have 0:01:14.320000 --> 0:01:18.660000 a resource that would be Microsoft compute slash virtual machines. 0:01:18.660000 --> 0:01:23.280000 But then underneath of those resources, you have various actions. 0:01:23.280000 --> 0:01:28.020000 So the ability, for example, the highest level to create or delete or 0:01:28.020000 --> 0:01:34.360000 update or read or many other actions that can be taken on these different 0:01:34.360000 --> 0:01:40.700000 resources. And what you do with a custom role is you say, which of these 0:01:40.700000 --> 0:01:46.700000 actions across any set of resources, do I want to control with this role? 0:01:46.700000 --> 0:01:50.320000 And you should know that roles are additive. 0:01:50.320000 --> 0:01:55.420000 So I may be assigned certain rights, certain actions within one role, 0:01:55.420000 --> 0:01:59.040000 and then be given other actions because I belong to another role on the 0:01:59.040000 --> 0:02:05.540000 same resource. And unless you specifically define a deny role, they're 0:02:05.540000 --> 0:02:06.820000 always going to be additive. 0:02:06.820000 --> 0:02:09.380000 So let's break this role definition down. 0:02:09.380000 --> 0:02:13.380000 The first thing that you should note is that this role definition is written 0:02:13.380000 --> 0:02:17.080000 in JSON JavaScript object notation. 0:02:17.080000 --> 0:02:21.780000 And if you're not a data person, it really is not a big deal. 0:02:21.780000 --> 0:02:24.340000 It's really not that difficult to follow. 0:02:24.340000 --> 0:02:27.620000 In fact, that's kind of the point of JSON was designed to be a little 0:02:27.620000 --> 0:02:31.060000 bit more straightforward than other data specifications. 0:02:31.060000 --> 0:02:34.200000 Within JSON, I have an object definition. 0:02:34.200000 --> 0:02:35.180000 That's always where I start. 0:02:35.180000 --> 0:02:39.260000 And that's just what the braces or sometimes people talk about curly cues 0:02:39.260000 --> 0:02:41.380000 or curly brackets braces. 0:02:41.380000 --> 0:02:43.760000 That's what that defines as an object. 0:02:43.760000 --> 0:02:47.320000 And then within that object, I have attributes, which are simply name 0:02:47.320000 --> 0:02:50.640000 value pairs. In fact, the first one is actually name. 0:02:50.640000 --> 0:02:55.040000 So that would be the name of this particular role. 0:02:55.040000 --> 0:02:58.700000 And then roles also have other attributes such as description. 0:02:58.700000 --> 0:03:00.340000 That's pretty straightforward. 0:03:00.340000 --> 0:03:04.600000 Then I get into what you can actually do with the role. 0:03:04.600000 --> 0:03:08.800000 And the way the role works, I have actions that's going to allow me to 0:03:08.800000 --> 0:03:12.260000 do things. In this case, this is a security role. 0:03:12.260000 --> 0:03:16.100000 It's going to allow me to read everything under authorization. 0:03:16.100000 --> 0:03:22.640000 It's also going to allow me to perform everything under policy assignments 0:03:22.640000 --> 0:03:25.020000 under authorization and policy definitions. 0:03:25.020000 --> 0:03:27.120000 So that's what security admin does. 0:03:27.120000 --> 0:03:32.020000 The next three, not actions, data actions in, not data actions, you'll 0:03:32.020000 --> 0:03:33.600000 notice they're empty. 0:03:33.600000 --> 0:03:37.220000 Not actions is a way to refine actions. 0:03:37.220000 --> 0:03:40.360000 So for example, if I wanted someone to be able to do everything in policy 0:03:40.360000 --> 0:03:45.440000 definitions, except delete policy definitions, I could add a not actions 0:03:45.440000 --> 0:03:48.820000 specifically for that to really refine actions. 0:03:48.820000 --> 0:03:53.420000 And then the data actions and not data actions do the same thing as actions 0:03:53.420000 --> 0:03:59.660000 and not actions, except on the data plane instead of on the control plane. 0:03:59.660000 --> 0:04:05.460000 So some resources will actually allow you to define operations at the 0:04:05.460000 --> 0:04:10.080000 data level of the resource itself through Azure level roles. 0:04:10.080000 --> 0:04:14.000000 And for example, off the top of my head, there are some roles for Key 0:04:14.000000 --> 0:04:17.800000 Vault that give you specific data related functionality and Key Vault. 0:04:17.800000 --> 0:04:21.760000 And you would see potentially some data actions and not data actions there. 0:04:21.760000 --> 0:04:24.580000 Finally, we have assignable scopes. 0:04:24.580000 --> 0:04:31.360000 And that is what scope can this role be assigned at? 0:04:31.360000 --> 0:04:34.900000 And I can set it at a subscription level. 0:04:34.900000 --> 0:04:36.840000 You can also set it at resource group level. 0:04:36.840000 --> 0:04:38.940000 You typically would not want to set it at a resource level. 0:04:38.940000 --> 0:04:41.180000 I don't think I've even ever tried that. 0:04:41.180000 --> 0:04:44.860000 Right now, I can also take a role and make it available across multiple 0:04:44.860000 --> 0:04:49.460000 subscriptions. The assignable scopes is actually an array of subscription 0:04:49.460000 --> 0:04:53.660000 identifiers. So if I had, you know, two or three subscriptions that were 0:04:53.660000 --> 0:04:57.960000 all related and I wanted this role across all three of those, then I could 0:04:57.960000 --> 0:05:02.900000 assign or define the assignable scopes for this across those. 0:05:02.900000 --> 0:05:05.260000 All right, so that is the way you define a custom role. 0:05:05.260000 --> 0:05:06.540000 And I will show you this. 0:05:06.540000 --> 0:05:09.920000 I'll actually show you the process I use to create custom roles. 0:05:09.920000 --> 0:05:14.520000 And the way you would actually then send it would be, for example, through 0:05:14.520000 --> 0:05:20.180000 the new AZ role definition PowerShell commandlet. 0:05:20.180000 --> 0:05:22.980000 Now, what about assigning custom roles? 0:05:22.980000 --> 0:05:26.100000 There's actually a few different ways that you can assign custom roles. 0:05:26.100000 --> 0:05:28.860000 The easiest way to assign custom roles is the exact same way that you 0:05:28.860000 --> 0:05:30.600000 would assign built in roles. 0:05:30.600000 --> 0:05:37.280000 I can go through the portal and I can go to my, I can go to access and 0:05:37.280000 --> 0:05:40.240000 I can add a role definition. 0:05:40.240000 --> 0:05:44.900000 So here I've got some demo role and I'm adding myself in that demo role. 0:05:44.900000 --> 0:05:49.040000 Very simple. You can also do this from the command line. 0:05:49.040000 --> 0:05:55.700000 All right, let's take a look now at defining and assigning a custom role. 0:05:55.700000 --> 0:06:00.020000 What I'm going to do is go through the process I go through when I'm building 0:06:00.020000 --> 0:06:03.260000 a custom role. I don't want to have to build that JSON from scratch. 0:06:03.260000 --> 0:06:07.980000 So I'll show you a bit of a cheat, a shortcut that you can use so that 0:06:07.980000 --> 0:06:12.040000 you're not starting out just with blank JSON that you have to then fill 0:06:12.040000 --> 0:06:16.400000 out correctly. Instead, I'm going to take an existing role and make a 0:06:16.400000 --> 0:06:18.920000 copy of that and edit that. 0:06:18.920000 --> 0:06:23.600000 All right, now after I do that, then I'm going to go ahead and create 0:06:23.600000 --> 0:06:26.420000 the role definition in my Azure subscription. 0:06:26.420000 --> 0:06:31.400000 And I am going to go ahead and then assign that role to a user. 0:06:31.400000 --> 0:06:36.700000 All right, let's get started by pulling the definition of a role. 0:06:36.700000 --> 0:06:43.380000 I currently have Windows PowerShell ISE open. 0:06:43.380000 --> 0:06:48.820000 This is just a tool for interacting with PowerShell. 0:06:48.820000 --> 0:06:49.440000 I like the tool. 0:06:49.440000 --> 0:06:51.160000 There's plenty others out there. 0:06:51.160000 --> 0:06:55.920000 And what I'm going to do is I'm going to start by retrieving my Azure 0:06:55.920000 --> 0:06:56.460000 role definitions. 0:06:56.460000 --> 0:07:00.900000 Now I have already logged in. 0:07:00.900000 --> 0:07:06.060000 And I'm pulling back a set of roles. 0:07:06.060000 --> 0:07:10.300000 And what I'm going to do is I'm going to take the website contributor. 0:07:10.300000 --> 0:07:17.200000 And I'm going to modify the website contributor so that you have a slightly 0:07:17.200000 --> 0:07:19.940000 constrained set of permissions. 0:07:19.940000 --> 0:07:25.320000 But in order to do that, I need to actually pull that definition back 0:07:25.320000 --> 0:07:31.320000 first. What I'm going to do is say, okay, I want the definition for website 0:07:31.320000 --> 0:07:43.840000 contributor. Now that gets the actual website back. 0:07:43.840000 --> 0:07:45.940000 But that is not in a JSON format. 0:07:45.940000 --> 0:07:49.120000 Fortunately, for me, I said the website, that's not a website, that's 0:07:49.120000 --> 0:07:50.980000 a roll gets the rollback. 0:07:50.980000 --> 0:07:54.680000 Fortunately for me, there's a nice little trick here. 0:07:54.680000 --> 0:08:01.700000 Convert to JSON. 0:08:01.700000 --> 0:08:03.780000 And that's going to take the definition. 0:08:03.780000 --> 0:08:06.820000 It's going to actually output it as JSON. 0:08:06.820000 --> 0:08:22.300000 And then all I really need to do is write somewhere in here. 0:08:22.300000 --> 0:08:27.080000 All right, we're just going to do this the easy way. 0:08:27.080000 --> 0:08:38.980000 Custom roll. So I put that out to a JSON file. 0:08:38.980000 --> 0:08:43.960000 Now what I'm going to do is I am going to edit that JSON file. 0:08:43.960000 --> 0:08:51.840000 Let's pull up my Visual Studio Code Editor. 0:08:51.840000 --> 0:08:58.580000 Because I'm fairly happy with this as a editing tool. 0:08:58.580000 --> 0:09:10.920000 And let's see if we can't zoom in a bit. 0:09:10.920000 --> 0:09:12.660000 There we go, a little bit better. 0:09:12.660000 --> 0:09:20.640000 All right, now this pulls back the actual definition of the custom roll. 0:09:20.640000 --> 0:09:24.160000 All right, of the built-in roll in this case, website contributor. 0:09:24.160000 --> 0:09:26.200000 Now I'm going to take this, I'm going to modify it. 0:09:26.200000 --> 0:09:28.700000 But I need to, first of all, change a few things. 0:09:28.700000 --> 0:09:31.220000 I'm going to say, INE website contributors. 0:09:31.220000 --> 0:09:35.400000 This will just be for our INE website contributors. 0:09:35.400000 --> 0:09:45.840000 And let's you manage websites, but not access to them or delete them. 0:09:45.840000 --> 0:09:50.540000 That's really all I'm going to do is I'm going to remove the delete capability. 0:09:50.540000 --> 0:09:54.340000 I read through here and I see all of these actions on line five through 0:09:54.340000 --> 0:10:00.080000 line 16. And I notice, for example, I can do anything with a website, 0:10:00.080000 --> 0:10:05.440000 server farm, I can read, I can join, I can do anything with certificates, 0:10:05.440000 --> 0:10:06.760000 I can create support tickets. 0:10:06.760000 --> 0:10:09.720000 You see all the different actions that I've got available. 0:10:09.720000 --> 0:10:13.640000 But there's some things that I don't want to be able to do. 0:10:13.640000 --> 0:10:18.140000 For example, I don't want to be able to delete sites. 0:10:18.140000 --> 0:10:24.820000 So what I'm going to do, let me go in here and not actions. 0:10:24.820000 --> 0:10:29.260000 To add that so it's even. 0:10:29.260000 --> 0:10:32.660000 And I'm just going to put after the asterisk, delete. 0:10:32.660000 --> 0:10:35.300000 In fact, you won't be able to delete anything in a site, which probably 0:10:35.300000 --> 0:10:40.820000 a little bit cumbersome, but it'll do for this example. 0:10:40.820000 --> 0:10:43.920000 And really, the key thing is that you're going to have to figure out what 0:10:43.920000 --> 0:10:47.080000 you want your roles to be allowed to do and not allowed to do. 0:10:47.080000 --> 0:10:50.280000 I'll show you how you can get a little more of that momentarily. 0:10:50.280000 --> 0:10:53.120000 Now, we also have assignable scopes. 0:10:53.120000 --> 0:10:54.900000 Right now, it's at the backslash. 0:10:54.900000 --> 0:10:57.880000 And what that means is that is at the cloud level. 0:10:57.880000 --> 0:11:02.440000 As it turns out, Microsoft is not going to allow me to define my own custom 0:11:02.440000 --> 0:11:06.720000 roles that would be available throughout the entire Azure cloud. 0:11:06.720000 --> 0:11:10.440000 Right. So I can really only go up to the subscription level, which of 0:11:10.440000 --> 0:11:14.700000 course means I need to know what my subscription is. 0:11:14.700000 --> 0:11:18.840000 So I can get. A Z. 0:11:18.840000 --> 0:11:24.140000 Subscription. Actually, it's not even do it that way. 0:11:24.140000 --> 0:11:29.400000 If I go up way higher, I don't think I can. 0:11:29.400000 --> 0:11:39.100000 All right. We'll just have to get all my subscriptions. 0:11:39.100000 --> 0:11:44.340000 And I'm going to take the ID of the subscription that I use. 0:11:44.340000 --> 0:11:55.740000 And I'm going to put it over in my assignable scope. 0:11:55.740000 --> 0:12:00.600000 So, that is where this role will be available. 0:12:00.600000 --> 0:12:02.860000 Now, you may have noticed it fairly quietly. 0:12:02.860000 --> 0:12:06.860000 I took out the ID that was in there and I took out whether or not it was 0:12:06.860000 --> 0:12:09.880000 custom because those will be set automatically. 0:12:09.880000 --> 0:12:16.740000 And then at this point, I can simply save this and then go back to my 0:12:16.740000 --> 0:12:26.460000 PowerShell. And say new A Z role definition. 0:12:26.460000 --> 0:12:38.920000 And the input file is going to be custom role dot JSON. 0:12:38.920000 --> 0:12:42.260000 Now I run this and I get an error. 0:12:42.260000 --> 0:12:46.720000 And the reason I get an error is because interestingly enough, the role 0:12:46.720000 --> 0:12:50.460000 that I pulled this from, the contributor role, actually has an action 0:12:50.460000 --> 0:12:53.400000 in its definition that no longer exists. 0:12:53.400000 --> 0:12:56.680000 So I just need to go in and remove that. 0:12:56.680000 --> 0:13:07.860000 Save it. And then run it again. 0:13:07.860000 --> 0:13:12.420000 There we go. I now have a new role definition. 0:13:12.420000 --> 0:13:23.560000 And in fact, I want to pull it back. 0:13:23.560000 --> 0:13:25.520000 There is the information. 0:13:25.520000 --> 0:13:28.360000 Notice it received an ID. 0:13:28.360000 --> 0:13:33.180000 It has an is custom and all the other information that I set for it. 0:13:33.180000 --> 0:13:36.440000 Now I want to go about assigning that role. 0:13:36.440000 --> 0:13:45.180000 And for this, I'm going to pop over into the demo in my demo area in the 0:13:45.180000 --> 0:13:49.480000 Azure portal. And what I'm going to do is I'm going to go to resource 0:13:49.480000 --> 0:13:54.860000 groups. And I'm going to go to a resource group that I have for our back. 0:13:54.860000 --> 0:13:59.920000 And I am going to add some access control. 0:13:59.920000 --> 0:14:03.840000 I'm going to go in and add role assignment. 0:14:03.840000 --> 0:14:13.280000 And the role that I'm going to pick before, there's my Iany website contributor. 0:14:13.280000 --> 0:14:21.600000 And we're going to assign that to demo user. 0:14:21.600000 --> 0:14:25.420000 And that's it. Save. 0:14:25.420000 --> 0:14:28.060000 All right. If I check role assignments. 0:14:28.060000 --> 0:14:34.800000 Now I'll see that demo user has the Iany website contributor, as well 0:14:34.800000 --> 0:14:40.180000 as in an earlier example, in a different video, I assigned them just contributor. 0:14:40.180000 --> 0:14:42.120000 But that is the process. 0:14:42.120000 --> 0:14:44.260000 Now one other thing I'm going to show you. 0:14:44.260000 --> 0:14:49.560000 How do you come up with this list of actions? 0:14:49.560000 --> 0:14:55.120000 Well, there's actually a relatively easy way to do that. 0:14:55.120000 --> 0:15:03.140000 And that is get A Z resource provider action. 0:15:03.140000 --> 0:15:15.780000 Now, I am going to narrow this down to just Microsoft dot web with capital 0:15:15.780000 --> 0:15:25.300000 M though. So web slash asterisk. 0:15:25.300000 --> 0:15:32.200000 Hey, these as you notice, I'm sure you read all of that as it went through 0:15:32.200000 --> 0:15:36.760000 your screen. These are all of the operations that are available. 0:15:36.760000 --> 0:15:40.000000 Now what I'm going to do is filter that down just a little bit. 0:15:40.000000 --> 0:15:51.320000 We'll just select the operation and sort by it. 0:15:51.320000 --> 0:16:00.880000 This list, this nice short little list here, these are all of the actions 0:16:00.880000 --> 0:16:06.360000 that are available just under Microsoft web. 0:16:06.360000 --> 0:16:09.020000 And I am paging through this. 0:16:09.020000 --> 0:16:16.740000 So this particular power cell commandlet is really quite useful, but it 0:16:16.740000 --> 0:16:18.660000 also has to be filtered a good bit. 0:16:18.660000 --> 0:16:24.080000 And this command right here is typically what I do when I am setting up 0:16:24.080000 --> 0:16:27.180000 my own custom roles. 0:16:27.180000 --> 0:16:28.600000 So what are custom roles? 0:16:28.600000 --> 0:16:34.140000 Custom roles are just groups of actions that you want to allow or possibly 0:16:34.140000 --> 0:16:40.820000 not allow within a role, really, that can be assigned, of course, at subscription 0:16:40.820000 --> 0:16:44.540000 level, at resource group level, or at the resource level. 0:16:44.540000 --> 0:16:49.080000 And my recommendation for creating your own custom role, first of all, 0:16:49.080000 --> 0:16:50.480000 start with an existing role. 0:16:50.480000 --> 0:16:53.940000 Don't try to create this from start because sometimes you're going to 0:16:53.940000 --> 0:16:58.520000 find that there are actions you wouldn't expect that are necessary for 0:16:58.520000 --> 0:16:59.700000 a particular functionality. 0:16:59.700000 --> 0:17:04.280000 For example, if you've got virtual machines, you probably also want access 0:17:04.280000 --> 0:17:10.620000 to Microsoft insights so that you can look at the performance and diagnostics 0:17:10.620000 --> 0:17:13.680000 information that might be collected for your virtual machine. 0:17:13.680000 --> 0:17:18.220000 So it's always good to start with an existing role, understand how to 0:17:18.220000 --> 0:17:23.480000 convert that into a JSON file, and also understand how to list out the 0:17:23.480000 --> 0:17:26.660000 actions that you might want to take a look at. 0:17:26.660000 --> 0:17:30.480000 And I showed you an example where I just showed you all of the actions 0:17:30.480000 --> 0:17:31.260000 that were available. 0:17:31.260000 --> 0:17:32.560000 I didn't even show you all of them. 0:17:32.560000 --> 0:17:36.300000 I showed you several pages of actions that are available for one particular 0:17:36.300000 --> 0:17:38.820000 provider. And that was Microsoft.web. 0:17:38.820000 --> 0:17:43.300000 All right, so very easy to create and assign roles as far as the mechanics 0:17:43.300000 --> 0:17:46.720000 of it. What gets to be a little bit more complex is thinking about what 0:17:46.720000 --> 0:17:49.920000 actions you actually want to be part of that role.