Microsoft 365 Security Administration:MS-500 Exam Guide
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Planning, configuring, and monitoring RBAC

RBAC is system that provides very specific access management capabilities to Azure resources. It enables Microsoft 365 administrators to manage access to these resources, the actions the users can take, and what resources are accessible to them.

You can configure RBAC from multiple locations within the Azure portal. RBAC is presented in the form of the Access Control (IAM) pane when accessed from an Azure Visual Studio subscription, as shown in the following screenshot:

Figure 4.1 – Access Control (IAM)

Let's look at some key planning considerations when implementing RBAC.

Planning RBAC

When we are planning to assign RBAC permissions to users within Azure AD, you first need to understand Role Assignments. From the Access Control (IAM) pane, you have the choice of adding role assignments, viewing existing role assignments, and viewing deny assignments. The following screenshot shows these choices for role assignment:

Figure 4.2 – Role assignments

We can choose to add a new role assignment by clicking Add | Add role assignment:

Figure 4.3 – Adding a role assignment

Click the Role drop-down box. You will see a list of roles that are available for assignment:

Figure 4.4 – Available role assignments

So, how does this help us with planning for RBAC? There are three key questions you need to answer when doing this:

  • Who needs access?
  • What do they need to access?
  • What permissions do they need?

When you have the answers to these questions, you will be able to effectively plan the correct RBAC role assignment settings. In the example shown here, where we wish to grant access to a Visual Studio subscription, we can use RBAC to do things such as the following:

  • Grant a user access to the Billing Reader role for the subscription.
  • Grant a group access to the SQL DB Contributor role so they can manage SQL databases.
  • Grant an application access to all resources within a resource group.

RBAC enables you to grant explicit access to your users with the principle of least privilege, which means they will have only the access required to do their jobs. This granular level of access removes the requirement to assign more established roles to users that include features they may not require, and for which they are not authorized.

How role assignments work

Role assignments consist of three components:

  • Security principal: This is the requesting party, which can be a user, group, service principal, or managed identity, as illustrated in the following diagram:

Figure 4.5 – Security principal

  • Role definition: A set of permissions that defines the actions that can be performed by the security principal (such as read, write, or delete). Role definitions are also known as roles and there are many built-in roles that can be used, such as Owner, Contributor, and Reader. The following diagram illustrates the concept of Role definition:

Figure 4.6 – Role definition

  • Scope: The scope can be defined as the resources to which access will be granted. An example would be assigning contributor access to a user for a specific resource group. The following diagram shows how the scope process works:

Figure 4.7 – Scope

Now that you understand the steps required to plan for RBAC, we can examine the process of configuring RBAC.

Configuring RBAC

Now that you understand what RBAC does and the principles of role assignments, you can start to configure role assignments with RBAC for your users. Role assignments can be added or removed in the Azure portal by using the Access Control (IAM) pane.

Important note

In order to configure role assignments, you will need to have User Access Administrator or Owner permissions.

In the following example, we will configure a user so that they can log in to a VM in Azure. Here are their details:

  • User: James Smith
  • Resource: A VM called chrysalis03

To provide our user with the access they require to the VM, we need to take the following steps:

  1. Log in to the Azure portal and navigate to All resources | chrysalis03.
  2. Now, we need to select Access Control (IAM). The following screen will appear:

    Figure 4.8 – Access control (IAM)

  3. If you click on Roles, you will see all the roles available for this resource:

    Figure 4.9 – Available roles

  4. Next, click on Add and then Add Role Assignment.
  5. Under Role, choose Select a role, scroll down, and choose Virtual Machine User Login.
  6. Under the Assign access to option, we need to leave this set as Azure AD user, group, or service principal as we wish to assign this resource to a user.
  7. Finally, in the Select box, we need to type in the person's username and select it. You should then see something like this:

    Figure 4.10 – Add role assignment page

  8. Click Save.
  9. Now that we have created our role assignment, we can view it by clicking Role Assignments, as shown here:

    Figure 4.11 – Viewing the role assignment

  10. We can easily remove the role assignment should we need to by selecting it and clicking on Remove.
  11. From the Access Control (IAM) pane, we also have the options to Check access and configure Deny Assignments.
  12. We have now successfully configured a role assignment for our user to enable them to access the resources they need using RBAC.
Managing RBAC using PowerShell

It is also possible to configure settings for RBAC using PowerShell. To do this, you will need one of the following:

  • PowerShell in the Azure Cloud Shell
  • Azure PowerShell

The easiest way to connect to Azure PowerShell is to launch it directly from the Azure portal from the Cloud Shell button on the top bar, as shown here:

Figure 4.12 – Azure Cloud Shell

Selecting the Cloud Shell button will immediately open the shell at the bottom of the screen, as shown in the following screenshot:

Figure 4.13 – Azure Cloud Shell

Once you are connected to Azure PowerShell, you can get a list of the available RBAC roles by typing the following:

Get-AzRoleDefinition

This returns a complete list of the available roles, as shown in the following screenshot:

Figure 4.14 – Role definition results

In the previous section, we used the Azure portal to grant the user, James Smith, access to the Virtual Machine User Login role. Using the Azure Cloud Shell, we can enter the following command to verify that this role was assigned successfully:

Get-AzRoleAssignment -SignInName james.smith@chrysalishtech.onmicrosoft.com

From the following screenshot, we can see that it was assigned successfully:

Figure 4.15 – Get-AzRoleAssignment result

Instead of using the Azure portal to set the role for our user, we could have done the same from the Azure Cloud Shell by entering the following command:

New-AzRoleAssignment -SignInName james.smith@chrysalistech.onmicrosoft.com -RoleDefinitionName "Virtual Machine User Login"

As we have already set this role via the Azure portal for James Smith, the following screenshot shows the command that's used to activate the same role for another of our tenant users, Jane Bloggs, using the Azure Cloud Shell:

Figure 4.16 – Adding a role assignment using Azure Cloud Shell

Important note

Further information about using PowerShell to configure RBAC can be found in the References section at the end of this chapter.

Monitoring RBAC

From a security standpoint, it is extremely important for Azure AD administrators to regularly monitor for any changes that have been made to RBAC role assignments in Azure AD subscriptions. Whenever such a change is made, it is recorded and logged in the Azure Activity Log. The changes that can be viewed in this log are only available for the previous 90 days.

The logs enable you to see when a role assignment (built-in or custom created) has been created or deleted.

The simplest way to view the Azure Activity Log is from within the Azure portal. As shown in the following screenshot, we can see the role assignment we created earlier in this chapter to grant our user, James Smith, the role of Virtual Machine User Login:

Figure 4.17 – User role assignment

If we drill down further, we will be able to see more details of this log event, which includes the following sections:

  • Summary
  • JSON
  • Change history (Preview)

You will see these details displayed as follows:

Figure 4.18 – Create role assignment

The activity log results may be filtered as required, and also downloaded to a .csv file.

Important note

Azure PowerShell and Azure CLI may also be used to monitor RBAC. Further information on this may be found in the References section at the end of this chapter.

Now that we have introduced you to the principles of RBAC, we will spend the rest of this chapter looking at Privileged Identity Management in Azure AD.

上一章目录下一章