WEBVTT 0:00:03.220000 --> 0:00:07.900000 In this video, we're going to take a look at role-based access control 0:00:07.900000 --> 0:00:13.060000 in action. And there's two topics that we're going to cover. 0:00:13.060000 --> 0:00:16.280000 First of all, we're going to go through and demonstrate role-based access 0:00:16.280000 --> 0:00:21.580000 control. And then I want to come back and talk about troubleshooting. 0:00:21.580000 --> 0:00:25.220000 What are some of the common issues that you may run into when you're implementing 0:00:25.220000 --> 0:00:26.980000 role-based access control? 0:00:26.980000 --> 0:00:31.600000 But let's go ahead and start out by going through a demonstration. 0:00:31.600000 --> 0:00:38.460000 All right, I am going to go over to my Windows PowerShell. 0:00:38.460000 --> 0:00:39.320000 I'm in PowerShell. 0:00:39.320000 --> 0:00:42.340000 Let me see if I can pump that up to us a bit more. 0:00:42.340000 --> 0:00:47.020000 Make it a little bit more readable. 0:00:47.020000 --> 0:00:59.220000 All right, I have already authenticated in using my Azure AD identity 0:00:59.220000 --> 0:01:02.440000 that is a subscription owner. 0:01:02.440000 --> 0:01:06.660000 And what I'm going to do first is pull out the role definitions. 0:01:06.660000 --> 0:01:10.480000 And hopefully you can see all of those and could read that as they went 0:01:10.480000 --> 0:01:14.460000 by. There's quite a number of role definitions with lots of detail. 0:01:14.460000 --> 0:01:18.900000 So rather than going into the detail for all of these, let's take a look 0:01:18.900000 --> 0:01:20.700000 at just the names. 0:01:20.700000 --> 0:01:22.620000 So this is a list. 0:01:22.620000 --> 0:01:27.920000 And that's an easy way to get a list of the roles in any particular subscription. 0:01:27.920000 --> 0:01:31.160000 And we can see that there are a number of roles. 0:01:31.160000 --> 0:01:33.960000 And you'll notice that these can be pretty granular. 0:01:33.960000 --> 0:01:37.760000 So for example, under storage account, I've got storage account, but then 0:01:37.760000 --> 0:01:38.860000 it goes even deeper than that. 0:01:38.860000 --> 0:01:45.400000 I've got storage blob data contributor, blob data owner, blob data reader. 0:01:45.400000 --> 0:01:49.680000 With the built in roles, you can actually be, as you can tell, you can 0:01:49.680000 --> 0:01:51.740000 actually be very granular. 0:01:51.740000 --> 0:01:56.620000 Now there are also the very high level roles, such as, we'll go back down 0:01:56.620000 --> 0:02:00.800000 here. You can see owner and reader, and up above, there's also contributors. 0:02:00.800000 --> 0:02:05.900000 So you have at the highest level, down to some very granular outputs or 0:02:05.900000 --> 0:02:11.040000 options. All right, now let's take a look at one role. 0:02:11.040000 --> 0:02:15.200000 I'm going to take a look at the website contributor role. 0:02:15.200000 --> 0:02:19.620000 I'm going to use this as an example. 0:02:19.620000 --> 0:02:24.120000 And within this, you can see that I've got the name, the ID. 0:02:24.120000 --> 0:02:26.100000 It's not custom. 0:02:26.100000 --> 0:02:31.320000 I've got a list of actions, and then everything else is pretty much open. 0:02:31.320000 --> 0:02:34.480000 Notice that the assignable scopes is a slash, meaning that of course it's 0:02:34.480000 --> 0:02:36.660000 assigned to the entire cloud. 0:02:36.660000 --> 0:02:41.240000 What I want to do though is I want to take this and use it. 0:02:41.240000 --> 0:02:45.140000 As the basis for a custom role. 0:02:45.140000 --> 0:02:49.580000 So to do that, I'm going to take my role definition, and I'm going to 0:02:49.580000 --> 0:02:55.860000 convert it to a JSON output, and then drop that into a file, custom role 0:02:55.860000 --> 0:03:03.980000 .json. So that has pulled up a JSON file. 0:03:03.980000 --> 0:03:10.700000 And I flipped over to Visual Studio Code, because it gives me a nice interface. 0:03:10.700000 --> 0:03:14.100000 For interacting with this particular role. 0:03:14.100000 --> 0:03:15.780000 So here I've got website contributor. 0:03:15.780000 --> 0:03:22.000000 What I'm going to do is I'm going to change this to website developers. 0:03:22.000000 --> 0:03:26.340000 I'm going to create a little bit of a custom role based on the website 0:03:26.340000 --> 0:03:28.960000 contributor. And I will tell you whenever possible, if I'm creating a 0:03:28.960000 --> 0:03:33.340000 custom role, I really prefer to start with an existing role and kind of 0:03:33.340000 --> 0:03:40.680000 modify. For example, a lot of organizations want to distribute and delegate 0:03:40.680000 --> 0:03:43.980000 management of resources. 0:03:43.980000 --> 0:03:47.420000 So you may have multiple resource groups and you want different actual 0:03:47.420000 --> 0:03:51.140000 user groups and visions or departments managing them. 0:03:51.140000 --> 0:03:55.140000 But you don't necessarily want to make them full owners of the resource 0:03:55.140000 --> 0:03:58.480000 group. So oftentimes you'll see what I like to refer to as kind of an 0:03:58.480000 --> 0:04:01.480000 owner light role. 0:04:01.480000 --> 0:04:03.100000 That is then assigned to groups. 0:04:03.100000 --> 0:04:09.560000 And so for example, maybe you have a corporate owner role that is like 0:04:09.560000 --> 0:04:13.060000 the owner role except it doesn't allow you to change policy just as an 0:04:13.060000 --> 0:04:18.840000 example. In any case, here is my role and I've got a number of these actions. 0:04:18.840000 --> 0:04:21.020000 What I want to do is I want to modify this down. 0:04:21.020000 --> 0:04:26.820000 And specifically, if we look at Microsoft .web slash sites, we'll notice 0:04:26.820000 --> 0:04:28.640000 that I have an asterisk there. 0:04:28.640000 --> 0:04:34.320000 And what that means is that someone who has this role can do anything 0:04:34.320000 --> 0:04:39.460000 with a site. Well, I want almost that, but I don't want to be able to 0:04:39.460000 --> 0:04:41.400000 delete a site, for example. 0:04:41.400000 --> 0:04:47.960000 So what I'm going to do is I want to take a look at the roles that are 0:04:47.960000 --> 0:04:50.320000 available underneath of sites. 0:04:50.320000 --> 0:04:56.880000 First, let's take a look at all of the roles underneath of Microsoft.web 0:04:56.880000 --> 0:05:00.660000 slash sites. So these are actions. 0:05:00.660000 --> 0:05:02.860000 This is Git AZ resource provider action. 0:05:02.860000 --> 0:05:03.540000 I think I said roles. 0:05:03.540000 --> 0:05:06.280000 I apologize. I meant permissions. 0:05:06.280000 --> 0:05:08.920000 Git AZ resource provider action. 0:05:08.920000 --> 0:05:11.800000 That's just a standard power self or Azure. 0:05:11.800000 --> 0:05:15.360000 I have an operation string, which is going to be the Microsoft.web resource 0:05:15.360000 --> 0:05:19.380000 provider. And then sites and everything under sites. 0:05:19.380000 --> 0:05:26.160000 And I'm going to select the operation and sort by the operation. 0:05:26.160000 --> 0:05:31.940000 And these are all of the specific actions. 0:05:31.940000 --> 0:05:36.000000 You can think of these as permissions that are available under sites. 0:05:36.000000 --> 0:05:40.380000 And you'll notice there are pages and pages of these. 0:05:40.380000 --> 0:05:44.160000 That's a lot. Let's narrow that down. 0:05:44.160000 --> 0:05:49.560000 Let's just look at the delete operations. 0:05:49.560000 --> 0:05:54.340000 Again, think of these as permissions. 0:05:54.340000 --> 0:05:58.640000 Run that and I get what should be a smaller list. 0:05:58.640000 --> 0:06:02.040000 Still quite a number of delete operations. 0:06:02.040000 --> 0:06:06.660000 These are all, remember, just for one type of resource. 0:06:06.660000 --> 0:06:09.460000 I'm going to go ahead because it's just a demo. 0:06:09.460000 --> 0:06:11.820000 I'm not going to go too deep into it because that would put everyone to 0:06:11.820000 --> 0:06:16.940000 sleep. But what I want to do is say, OK, I don't want the website developer 0:06:16.940000 --> 0:06:21.340000 role to give you the ability to delete any of these. 0:06:21.340000 --> 0:06:25.080000 So I'm going to go over to my custom role definition. 0:06:25.080000 --> 0:06:27.960000 And I'm just going to make my life really simple. 0:06:27.960000 --> 0:06:34.200000 Just copy that. And then just literally add slash. 0:06:34.200000 --> 0:06:37.020000 Whoa, except I put that in the wrong place. 0:06:37.020000 --> 0:06:39.160000 That's supposed to be a not action. 0:06:39.160000 --> 0:06:41.620000 It's good to remember what I'm trying to demonstrate here. 0:06:41.620000 --> 0:06:44.960000 Let's pull that down into not action. 0:06:44.960000 --> 0:06:56.840000 There we go. A website except you don't have the ability to delete a website. 0:06:56.840000 --> 0:07:01.620000 And I can and should update the description. 0:07:01.620000 --> 0:07:12.020000 So cannot delete anything, which is not exactly right. 0:07:12.020000 --> 0:07:16.720000 But hopefully you'll be a little more precise in your description. 0:07:16.720000 --> 0:07:18.560000 But that's good enough for now. 0:07:18.560000 --> 0:07:21.980000 I'm going to go ahead and save this. 0:07:21.980000 --> 0:07:23.760000 And now I want to apply this. 0:07:23.760000 --> 0:07:28.480000 Well, applying a role, as it turns out, is really quite simple. 0:07:28.480000 --> 0:07:33.120000 All you need to do is run new AZ role definition. 0:07:33.120000 --> 0:07:40.220000 However, as I mentioned, right now that role is defined to apply to the 0:07:40.220000 --> 0:07:42.000000 entire cloud, which I cannot do. 0:07:42.000000 --> 0:07:46.800000 So instead, I'm going to grab my subscription information. 0:07:46.800000 --> 0:07:51.840000 There's my subscription ID. 0:07:51.840000 --> 0:08:07.980000 Copy that. And I'm going to come down here to assignable scopes. 0:08:07.980000 --> 0:08:09.540000 And put in my subscription. 0:08:09.540000 --> 0:08:12.300000 Now, if I had multiple subscriptions, and I wanted to apply this across 0:08:12.300000 --> 0:08:15.100000 multiple subscriptions, I could do that. 0:08:15.100000 --> 0:08:19.000000 All right, we are just about there. 0:08:19.000000 --> 0:08:22.960000 Now, the next thing that I would do with this role definition is I would 0:08:22.960000 --> 0:08:25.480000 actually create a role definition. 0:08:25.480000 --> 0:08:28.040000 I do that with new AZ role definition. 0:08:28.040000 --> 0:08:29.040000 This one's going to fail. 0:08:29.040000 --> 0:08:30.760000 And it kind of amuses me that it fails. 0:08:30.760000 --> 0:08:32.160000 And I'll show you why. 0:08:32.160000 --> 0:08:34.740000 There we go. It fails. 0:08:34.740000 --> 0:08:40.160000 And it fails because it says that the mercsoft.web.server.arms. 0:08:40.160000 --> 0:08:46.240000 slash join slash action does not match any actions that are supported 0:08:46.240000 --> 0:08:47.660000 by the providers. 0:08:47.660000 --> 0:08:53.400000 And what that means is this role, this built-in role, actually has an 0:08:53.400000 --> 0:08:56.100000 obsolete action or right. 0:08:56.100000 --> 0:08:57.900000 So I can just take that out. 0:08:57.900000 --> 0:08:59.400000 And that's fine. 0:08:59.400000 --> 0:09:01.320000 I'm not really making fun of Azure. 0:09:01.320000 --> 0:09:04.340000 I just think that's kind of interesting that their own role continues 0:09:04.340000 --> 0:09:06.520000 to have something that's deprecated. 0:09:06.520000 --> 0:09:10.140000 All right, so I take that out and there's my role. 0:09:10.140000 --> 0:09:16.700000 Right? And if I go ahead and get AZ role definition, now I see I've got 0:09:16.700000 --> 0:09:20.120000 that website developer down there and I could look for website developer 0:09:20.120000 --> 0:09:24.600000 and I could pull its definition. 0:09:24.600000 --> 0:09:30.160000 I can also go ahead and apply it. 0:09:30.160000 --> 0:09:35.120000 Let's go and take a look at how I could actually apply that role. 0:09:35.120000 --> 0:09:37.940000 And I'm going to do this through the portal. 0:09:37.940000 --> 0:09:40.220000 I could do this through the command line as well. 0:09:40.220000 --> 0:09:44.800000 But as we'll get a little bit more graphical here, I'm going to go to 0:09:44.800000 --> 0:09:45.940000 my resource groups. 0:09:45.940000 --> 0:09:49.280000 And I have this resource group already, RBAC. 0:09:49.280000 --> 0:09:53.500000 And I'm going to go into the RBAC resource group and you'll notice that 0:09:53.500000 --> 0:09:57.020000 it's got an application service, an application service plan. 0:09:57.020000 --> 0:09:58.960000 It's got application insights. 0:09:58.960000 --> 0:10:04.000000 And what I want to do is I'm going to go up here to access control. 0:10:04.000000 --> 0:10:10.060000 I'm going to access control and I can, it's actually some pretty cool 0:10:10.060000 --> 0:10:12.200000 capabilities. I can check someone's access. 0:10:12.200000 --> 0:10:24.400000 So for example, if I wanted to see, I don't know, Bob at iany-demo.com. 0:10:24.400000 --> 0:10:28.260000 You can see that there are no roles assigned to Bob. 0:10:28.260000 --> 0:10:33.720000 Okay. Now I could assign a role to Bob. 0:10:33.720000 --> 0:10:36.560000 It's pretty easy to do. 0:10:36.560000 --> 0:10:39.640000 I'm going to add a role assignment. 0:10:39.640000 --> 0:10:44.000000 And the role that I'm going to add is going to be, all the way down here 0:10:44.000000 --> 0:10:47.380000 at the bottom. There's my website developer. 0:10:47.380000 --> 0:10:58.920000 And we're going to add this to Bob at iany-demo. 0:10:58.920000 --> 0:11:12.660000 Add that in. And now I've added Bob and made Bob a website developer. 0:11:12.660000 --> 0:11:16.320000 And you can see that. 0:11:16.320000 --> 0:11:19.780000 I'm going to do this, you know, this Azure environment. 0:11:19.780000 --> 0:11:22.080000 Now I don't have it all set up for Bob to log in. 0:11:22.080000 --> 0:11:26.860000 But Bob would in this case be able to do everything that a website contributor 0:11:26.860000 --> 0:11:31.240000 could accept. Bob's not going to be able to delete a website. 0:11:31.240000 --> 0:11:35.520000 But other than that, Bob has the roles that are given, or has the rights 0:11:35.520000 --> 0:11:36.780000 that are given by that role. 0:11:36.780000 --> 0:11:38.440000 One last quick thing. 0:11:38.440000 --> 0:11:42.320000 In addition to role assignments, there are now deny role assignments. 0:11:42.320000 --> 0:11:47.060000 And this is a relatively new addition to the Azure environment. 0:11:47.060000 --> 0:11:52.420000 Azure has always been essentially a whitelist permission. 0:11:52.420000 --> 0:11:56.180000 So if you have a role, you have all the capabilities of that role. 0:11:56.180000 --> 0:12:00.280000 Now you have the ability to specify roles that have permissions that somebody 0:12:00.280000 --> 0:12:02.100000 absolutely cannot have. 0:12:02.100000 --> 0:12:03.140000 This is a capability. 0:12:03.140000 --> 0:12:04.500000 It's not one that I personally would use. 0:12:04.500000 --> 0:12:05.740000 I like the idea. 0:12:05.740000 --> 0:12:08.960000 I like the discipline of saying, okay, I'm going to give you roles. 0:12:08.960000 --> 0:12:12.460000 But I'm always only going to give you the role that gives you exactly 0:12:12.460000 --> 0:12:14.120000 the permissions that you need. 0:12:14.120000 --> 0:12:22.520000 Now let's take a minute to round out looking at some troubleshooting topics. 0:12:22.520000 --> 0:12:29.860000 So we have troubleshooting, RBAC. 0:12:29.860000 --> 0:12:35.300000 There are some things we want to, first of all, role definition or assignment 0:12:35.300000 --> 0:12:38.820000 rights. If you're trying to define roles or assign roles, you have to 0:12:38.820000 --> 0:12:43.440000 have those specific rights that we've already talked about. 0:12:43.440000 --> 0:12:49.120000 Also, there's a custom role limit of 5,000 roles per tenant. 0:12:49.120000 --> 0:12:54.460000 If you need more than 5,000 custom roles, you might want to rethink your 0:12:54.460000 --> 0:12:56.820000 security architecture. 0:12:56.820000 --> 0:13:02.780000 Other things that you need to be aware of, if you migrate a subscription 0:13:02.780000 --> 0:13:07.240000 between tenants, so in other words, every subscription is associated with 0:13:07.240000 --> 0:13:08.680000 a primary tenant. 0:13:08.680000 --> 0:13:12.260000 And oftentimes let's say maybe you've purchased a company, your company's 0:13:12.260000 --> 0:13:16.160000 purchased a company, you want to move their subscription under your tenant. 0:13:16.160000 --> 0:13:21.900000 When you move a subscription, it breaks all of the role assignments within 0:13:21.900000 --> 0:13:26.260000 that subscription except for the owner of the subscription. 0:13:26.260000 --> 0:13:27.740000 So just be aware of that. 0:13:27.740000 --> 0:13:29.880000 Just something you have to account for. 0:13:29.880000 --> 0:13:30.960000 And it kind of makes sense, right? 0:13:30.960000 --> 0:13:34.340000 Because conceptually, if you're moving tenants, you're probably moving 0:13:34.340000 --> 0:13:37.440000 your groups and changing your groups and everything else. 0:13:37.440000 --> 0:13:43.600000 Also, be aware that role-based access control can take up to 30 minutes 0:13:43.600000 --> 0:13:46.020000 to fully propagate through Azure. 0:13:46.020000 --> 0:13:49.060000 So if somebody has been assigned a role and they come back two minutes 0:13:49.060000 --> 0:13:54.760000 later and are yelling at you because they don't have that role, assure 0:13:54.760000 --> 0:13:56.480000 them that they will. 0:13:56.480000 --> 0:13:59.220000 It'll be 30 minutes and then maybe when they're gone, you'll double check 0:13:59.220000 --> 0:14:03.100000 and make sure you still you've got 30 minutes. 0:14:03.100000 --> 0:14:08.960000 Now the other thing, and this is one that will get me sometimes. 0:14:08.960000 --> 0:14:13.780000 And that is what I would call obscure permissions. 0:14:13.780000 --> 0:14:19.780000 And so there's times where you might say, okay, I want this person to 0:14:19.780000 --> 0:14:22.200000 be able to provision a virtual machine. 0:14:22.200000 --> 0:14:23.800000 That's all I want them to be able to do. 0:14:23.800000 --> 0:14:27.720000 Or I want them to be able to provision a web app. 0:14:27.720000 --> 0:14:32.780000 However, oftentimes when you're provisioning these things, there are other 0:14:32.780000 --> 0:14:37.160000 resources that you are likely to provision. 0:14:37.160000 --> 0:14:43.280000 For example, if you want to, and there's also just some really odd things. 0:14:43.280000 --> 0:14:45.000000 I've got some notes on this. 0:14:45.000000 --> 0:14:50.060000 For example, you have to have right access to the App Service Plan if 0:14:50.060000 --> 0:14:55.860000 you want to view the web app's pricing tier, such as free or standard. 0:14:55.860000 --> 0:15:01.240000 Also, you have to have right access to the App Service Plan if you want 0:15:01.240000 --> 0:15:03.440000 to view scale settings. 0:15:03.440000 --> 0:15:04.960000 It's kind of interesting. 0:15:04.960000 --> 0:15:08.960000 You have certain things you need right access to the entire resource group 0:15:08.960000 --> 0:15:13.400000 if you're going to set up SSL certificates and bindings, or if you're 0:15:13.400000 --> 0:15:17.140000 going to set up alert rules, auto scale settings, application insights 0:15:17.140000 --> 0:15:19.000000 components, or web tests. 0:15:19.000000 --> 0:15:23.940000 Now technically, you don't actually need the right access to the entire 0:15:23.940000 --> 0:15:28.060000 resource group, but there are a lot of different permissions that are 0:15:28.060000 --> 0:15:31.200000 in there that it would probably just as easy to give you access to the 0:15:31.200000 --> 0:15:33.460000 entire resource group. 0:15:33.460000 --> 0:15:37.400000 And then virtual machines, there's some features that require right access 0:15:37.400000 --> 0:15:39.400000 that you might not expect. 0:15:39.400000 --> 0:15:45.520000 If you want to view or update the endpoints, the IP addresses, the disks, 0:15:45.520000 --> 0:15:50.500000 or extensions, then you would need to have right access to the virtual 0:15:50.500000 --> 0:15:54.960000 machine. And again, you don't necessarily need to memorize those details, 0:15:54.960000 --> 0:15:57.560000 but it is something that is important to understand. 0:15:57.560000 --> 0:16:01.140000 It is something that will throw you off if you're not aware of it. 0:16:01.140000 --> 0:16:03.740000 Well, it may not throw you off, but it certainly has thrown me off in