Windows Azure storage is a cloud storage service that is highly durable, available, and scalable. Once your data is stored in Azure storage, you can access that data any time and from anywhere. It provides the following four abstractions (services)- Blob storage, Table storage, Queue storage, and File storage. Each of these has different role to play, you can get more information here…
If the built-in roles for Azure resources don't meet the specific needs of your organization, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at subscription, resource group, and resource scopes. Custom roles are stored in an Azure Active Directory (Azure AD) directory and can be shared across subscriptions.
Exercise 1: Create Custom RBAC Role
The main tasks for this exercise are as follows:
1. Download
the closest built-in role which perform this task
2. Open
that file Role.json from given location and perform below updates
3. Create
the custom role from update file
Task 1: Download the closest built-in
role which perform this task
Get-AzureRmRoleDefinition -Name
"Virtual Machine Contributor" |ConvertTo-Json |Out-File "C:\Users\utkar\OneDrive\Desktop\Role.json"
Task 2: Open that file Role.json from given location and perform
below updates
1. As This will
become Custom RBAC remove the section like Id & IsCustom
2. Change
the name and description of this file
a.
"Name": "Virtual Machine Operator",
b.
"Description": "Allows user to monitor virtual
machines, and restart them.",
3. Update
the entire Actions Section with below content-
"Actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Support/*",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action"
],
Note-> TO get the operation for a resource provider
(Virtual machine)
Get-AzureRmProviderOperation -OperationSearchString "Microsoft.Compute/VirtualMachines/*"
|ft operation
Task 3: Create the custom role from
update file-
New-AzureRmRoleDefinition -InputFile "C:\Users\utkar\OneDrive\Desktop\Role.json"
Exercise 3: Create a User and assign him the
RBAC Role
Task1-Create a user in Default Azure Active Directory.
1.
In
the navigation pane on the left side of the Azure Portal, click All services.
2.
In
the All services blade that
displays, click Azure Active Directory.
3.
In
the Azure Active Directory blade
that displays, click on All users.
4.
At
the top of the All Users blade,
click the New User button.
4. Fill in the details and click Create.
5. Copy the user name and password, you will be
prompted to update this password on you first login.
Task 2: Assign the early created custom role to this new
User.
1.
In
the navigation pane on the left side of the Azure Portal, click All services.
2.
In
the All services blade that
displays, click Subscription.
3.
Select
the Subscription you want to assign
this Role.
4.
In
the Subscription blade that
displays, click on Access Control (IAM).
5.
Click
on Add and select Role Assignment
6.
Fill
in the below details-
o
Role
- Compute Operator
o
Assign
Access to- Azure AD users,groups or service principle
o
Select- Computer operator
