Manage and Secure resources using Azure Resource Groups and Role Based Access Control for Management of Azure

Azure has so many different components and features. And over the time Azure subscription has been a way for giving access to the users. Once a user has access to Azure subscription a user pretty much can perform any task. But as you start introducing more and more workloads to Azure, it is difficult to manage and keep of users who are performing several tasks in Azure.

So in order to solve this challenge we have introduced Role Based Access Control (RBAC) support in the Azure platform. The RBAC feature is available in Azure preview portal. Before I start covering more around RBAC, I would like to talk briefly about Azure Resource Groups. Last year we announced Azure Resource Groups. When we talk about applications, which means we are talking about several components like front end web apps, backend database servers, middle tiers or business logic tiers etc. And in Azure it’s always been treated all these different components of any application as a single resource. Subsequently you would have to perform all the operations on these single resources that would consume a lot of time.

Well, Resource Groups allow you to manage all your resources in an application together. Azure Resource Manager allows you manage these multiple resources together as a single resource group so that you can effectively manage them. Additionally, with the help of RBAC it makes is super easy to assign permission to these Resource Groups so that only relevant users can have access to these resources in the Resource Group.

In the Azure preview portal, whenever you create any resource, it is always part of a resource group. Whether you create a virtual machine, web app or database it is part of a resource group. A resource group is like a container that will have the RBAC permissions applies for specific set of users.

As you are familiar every Azure subscription is associated to the Azure Active Directory. Users and Services, which are part of the Azure subscriptions need to authentication with Azure Active Directory. RBAC allows you to grant appropriate permissions to Azure Active Directory users, groups and services by assigning roles to a specific subscription or maybe an individual resource level. The access will be granted based upon the type of role assigned to the users.

RBAC

Role Permissions

In this first preview we are pre-defining three built-in Azure roles that give you a choice of granting restricted access:

  • A Owner can perform all management operations for a resource and its child resources including access management.
  • A Contributor can perform all management operations for a resource including create and delete resources. A contributor cannot grant access to others.
  • A Reader has read-only access to a resource and its child resources. A Reader cannot read secrets.

Courtesy: http://weblogs.asp.net/scottgu/azure-sql-databases-api-management-media-services-websites-role-based-access-control-and-more

At this time you cannot define custom roles but you use built-in roles. You can read more about built-in roles here http://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/#built-in-roles

In the following example we will create a resource group and then subsequently assign permission to certain users using RBAC.

Open up the new Azure preview portal and create a new application that will have a multiple virtual machines, database and a web app. To access new Azure preview portal visit https://portal.azure.com

Our sample Resource Group will have following components

  • Virtual Machine – Windows Server 2012 R2 (AVI-DC.cloudapp.net)
  • Virtual Machine – SQL Server 2014 running on Windows Server 2012 R2 (AVI-SQL.cloudapp.net)
  • Web Apps (AVIRAJ-DEV.azurewebsites.com)
  • Virtual Network – AVI-DC
  • Resource Group Name: MSFT-DEV

Create Resource Group called MSFT-DEV with above components

Step 1: Click on New then click on Compute then click on Windows Server 2012 R2 Datacenter

ARM_RBAC_01

In the Create VM section, fill in the details for Host Name, User Name and Password. Now click on RESOURCE GROUP then click on Create a new resource group. Enter MSFT-DEV and click OK.

Step 2: Once done, check the details once more and click on Create.

ARM_RBAC_02

Step 3: Similarly, create a SQL Server 2014 Enterprise on Windows Server 2012 R2 virtual machine. Click on New then click on Compute then click on SQL Server 2014 Enterprise on Windows Server 2012 R2.

ARM_RBAC_03

In the Create VM section, fill in the details for Host Name, User Name and Password. Now click on RESOURCE GROUP then in the User an existing resource group section click on MSFT-DEV. Once done, check the details once more and click on Create.

Step 5: Click on New then click on Web + Mobile then click on Web app.

In the Web app section, fill in the details for URL and choose CREATE NEW APPSERVICE PLAN. Now enter a plan name like AVI-DEV-WEB.

ARM_RBAC_04

Now click on RESOURCE GROUP then in the User an existing resource group section click on MSFT-DEV. Once done, check the details once more and click on Create.

Step 10: To verity the Resource Group MSFT-DEV, click on BROWSE, Filter by Resource groups and click on MSFT-DEV resource group. Now take a look at the resources like virtual machines, web app and virtual network in the resource group.

ARM_RBAC_05

Assign permissions for the MSFT-DEV Resource Group using Role Based Access Control (RBAC)

Now that we have our resource group created, we will need to assign specific permission to the set of users who will have access to this particular resource group and the resources in this resource group.

For the demonstration purpose we will add a new user called aviraj@outlook.com to this resource group and we will assign Reader role permissions to the resource group MSFT-DEV. Now, other administrators or Owners will have full access to the resource group, it means they can create/modify/delete the resources within the group or also grant access to other users. However, the Reader role permission will only have read only access to the resources in the resource group.

Step 1: We will continue from previous step. In the MSFT-DEV resource group. Click on Access icon then click on Add.

ARM_RBAC_06

Step 2: Click on SELECT A ROLE. You will notice there are several built-in roles available. As we progress through the features, we will add more roles to the RBAC. Now click on Reader.

ARM_RBAC_07

Step 3: Click on ADD USERS. Enter users email id, it could be Microsoft Account (Live, Hotmail or Outlook etc.) or Azure Active Directory Organization ID. Once entered click on the username aviraj@outlook.com and click on Select.

ARM_RBAC_08

Step 4: Once added appropriate ROLE and USER click on OK.

ARM_RBAC_09

Step 5: Once completed you will see the newly added user and its associated role and access type.

ARM_RBAC_10

Test the RBAC Permissions assigned for the Resource Group called MSFT-DEV

Step 1 – OWNER ACCESS: Make sure you are still logged in with the original administrator account and access MSFT-DEV resource group. Click on Virtual Machines and click on virtual machine AVI-DC or AVI-SQL that we just created.

RBAC-BEFORE

Notice that in the AVI-DC Virtual Machine you will have all the access permissions for Virtual Machine like Settings, Connect, Start/Stop or Restart, Capture or even Delete Virtual Machine. That’s because you are a Subscription Admin with Owner permission. Check the Step 5 screenshot from previous section.

Step 2 – READER ACCESS: In this example, I have signed out with my primary administrator or owner account. Now, I logged into the Azure preview portal using my aviraj@outlook.com email account for which we have just assigned Reader role permission for resource group MSFT-DEV.

Once logged in click on BROWSE then click on Resource groups and click on MSFT-DEV. Click on Virtual Machines and click on virtual machine AVI-DC or AVI-SQL that we just created. 

RBAC-AFTER

Notice that in the AVI-DC Virtual Machine you will not have all the access permissions for Virtual Machine like Settings, Connect, Start/Stop or Restart, Capture or even Delete Virtual Machine. That’s because you are not a Subscription Admin with Owner permission. Check the Step 5 screenshot from previous section.

Because this time we have logged in as aviraj@outlook.com user who has Reader permissions, we can only see the Settings but cannot perform any additional operations. That’s because of the Role Based Access Control (RBAC) feature.

Just a last note that Role-based access control is supported only for management operations of the Azure resources in Azure Preview portal and Azure Resource Manager APIs. You can also use PowerShell cmdlets for Role Assignments.

So that’s how the Azure Resource Manager and Role Based Access Control (RBAC) features work hand in hand to deliver a secure access authentication and authorization model. I hope you will enjoy this & try these new features with your Azure subscription. Enjoy.

Technical Specialist at Microsoft Corporation.
In his present role he is part of Enterprise Partner Group in New York City. He is working with the Enterprise Customers & Partners across New York Metro District.

1 Comment

Leave a Reply