Tutorial / Cram Notes
Creating and assigning custom roles in Microsoft Azure allows organizations to ensure that users have the specific permissions they need to do their job, without having too much access, which could potentially lead to security issues. Within the Azure environment, custom roles can be created for both Azure roles, which are used to manage Azure resources, and Azure AD roles, which are used for managing Azure Active Directory resources.
Custom Azure Roles
Custom Azure roles are an extension of the built-in roles provided by Azure, such as Owner, Contributor, and Reader. They allow you to define a set of permissions that precisely match your organization’s needs. To create a custom role, you can start from scratch or clone an existing role and then modify its permissions.
To create a custom Azure role:
- Search for and select “Subscriptions” in the Azure portal.
- Choose the subscription where you want to create the role.
- Click on “Access control (IAM)” and then select “Add a custom role”.
- Enter a name and description for the new role.
- Optionally, clone a role to use as a starting point.
- Add or remove permissions as needed from the list of available permissions.
- Review and create the role.
For example, you might create a “Storage Account Key Operator” role that only provides the necessary permissions to manage keys for Storage Accounts.
Assigning Custom Azure Roles
After creating a custom role, you can assign it to a user, group, service principal, or managed identity.
- In the Azure portal, navigate to the resource where you want to assign the role.
- Click on “Access control (IAM)”.
- Select “Add role assignment”.
- Choose the custom role you created from the list.
- Find the security principal (user/group/service principal) that you wish to assign to the role.
- Select the appropriate principal and click “Save”.
Custom Azure AD Roles
Azure Active Directory (Azure AD) roles are used to manage Azure AD-related services. Custom Azure AD roles can be crafted to suit the unique needs of your organization for managing identities and access to applications.
To create a custom Azure AD role:
- Navigate to the Azure AD admin center.
- Select “Roles and administrators” from the left sidebar.
- Click on “+ New custom role” to start the creation process.
- Provide a name and description for the role.
- Customize the permissions by selecting from predefined permissions that determine what role members can manage.
- Assign the role scope, such as a specific Azure AD directory role, group, or application.
- Review and create the role.
For instance, you might create a “Groups Administrator” role with permissions tailored to manage Azure AD groups exclusively without granting full directory rights.
Assigning Custom Azure AD Roles
Once the custom Azure AD role is created, you can assign it to the appropriate users.
- In the Azure AD admin center, go to the “Roles and administrators” section.
- Find your custom role and click on it.
- Click on “Add assignments”.
- Search for the users to whom you want to assign the role.
- Select the users and confirm the assignment.
Comparison of Azure Roles and Azure AD Roles
| Criteria | Azure Roles | Azure AD Roles |
|---|---|---|
| Focus | Management of Azure resources | Management of Azure AD resources |
| Examples | Virtual Machine Contributor | User Administrator |
| Customization | Can create and assign custom roles | Can create and assign custom roles |
| Access | Managed at the subscription, resource group, or resource level | Managed at the directory level |
| Assignment Scope | Can be scoped to multiple levels (e.g., resource, group, subscription) | Generally scoped to the entire directory or specific objects within the directory |
In conclusion, custom Azure and Azure AD roles are powerful tools for fine-tuning access controls and ensuring compliance with the principle of least privilege. By manipulating these roles and their assignments, you can secure your Azure-based resources and the identities tied to them effectively, play a critical role in maintaining operational security and efficiency within the AZ-500 Microsoft Azure Security Technologies exam scope.
Practice Test with Explanation
True or False: Custom roles can be created in Azure AD but not in Azure RBAC.
- False
Custom roles can be created in both Azure AD for controlling access to Azure AD resources and in Azure RBAC for managing access to Azure resources.
In Azure, who can create custom roles?
- A. Any user with read-only permissions
- B. Users with the Owner role
- C. Users with the User Access Administrator role
- D. Only the Global Administrator in Azure AD
B and C
Users with the Owner role or the User Access Administrator role on a subscription or resource can create custom roles in Azure RBAC.
True or False: The “AssignableScopes” property of a custom role defines which groups or users can be assigned the role.
- False
The “AssignableScopes” property defines the scopes like subscriptions, resource groups, or resources where the custom role can be assigned, not the individuals or groups who can be assigned to the role.
True or False: Azure AD roles can be used to manage resources in Azure Resource Manager.
- False
Azure AD roles are used for managing access to Azure AD resources, while Azure RBAC roles are used to manage resources in Azure Resource Manager.
Which of the following actions is required before deleting a custom role in Azure?
- A. Remove all assignments of the role
- B. Deactivate the role
- C. Get approval from the Global Administrator
- D. There are no specific actions required
A
Before deleting a custom role, you must remove all assignments of that role.
True or False: Custom roles in Azure are automatically available to assign in all subscriptions within the tenant.
- False
Custom roles are scoped to the level at which they were created unless explicitly made available at other scopes through the “AssignableScopes” property.
Which PowerShell cmdlet is used to create a new custom role in Azure?
- A. New-AzRoleDefinition
- B. Set-AzRoleDefinition
- C. Create-AzRoleDefinition
- D. Add-AzRoleDefinition
A
The “New-AzRoleDefinition” cmdlet is used to create a new custom role in Azure using a role definition file in JSON format.
True or False: When creating a custom role, the “Actions” property specifies the set of operations that can be performed on resources.
- True
The “Actions” property in the role definition specifies the operations that the role allows performing on resources.
Which Azure CLI command is used to list all the Azure AD roles within a directory?
- A. az ad sp list
- B. az role definition list
- C. az role assignment list
- D. az ad role definition list
D
The command “az ad role definition list” is used to list all the Azure AD roles within a directory.
True or False: Azure AD roles and Azure RBAC roles can be used interchangeably.
- False
Azure AD roles and Azure RBAC roles serve different purposes and cannot be used interchangeably. Azure AD roles manage access to Azure AD resources, while Azure RBAC roles control access to Azure resources in Azure Resource Manager.
When assigning a custom role in Azure, which of the following fields must be specified?
- A. The role name
- B. The principal ID
- C. The assignment name
- D. The scope
B and D
When assigning a role, the principal ID of the user, group, or service principal receiving the role and the scope at which the role is being assigned must be specified.
True or False: Azure custom roles can be shared between tenants.
- False
Custom roles are specific to the tenant they were created in and cannot be shared between different Azure AD tenants.
Interview Questions
What are custom roles in Azure Role-Based Access Control (RBAC)?
Custom roles in Azure RBAC are a set of permissions that you define and can use to manage access to Azure resources.
What are the two main types of custom roles in Azure RBAC?
The two main types of custom roles in Azure RBAC are Azure roles and Azure AD roles.
How can you create an Azure role?
You can create an Azure role by defining a role definition that specifies the actions and operations that are allowed or denied for the role.
How can you create an Azure AD role?
You can create an Azure AD role by creating a custom role using Azure AD Privileged Identity Management (PIM) or by creating a custom role in Azure AD Access Reviews.
What are the steps to create a custom role in Azure RBAC?
The steps to create a custom role in Azure RBAC include defining the role definition, creating the role, and assigning the role to a user, group, or service principal.
How do you assign a custom role to a user, group, or service principal?
You can assign a custom role to a user, group, or service principal by creating a role assignment that links the role definition to the user, group, or service principal.
What is a role definition in Azure RBAC?
A role definition in Azure RBAC is a collection of permissions that define what actions and operations are allowed or denied for a role.
What are the built-in roles in Azure RBAC?
The built-in roles in Azure RBAC include Owner, Contributor, Reader, User Access Administrator, and others.
What is the difference between an Azure role and an Azure AD role?
An Azure role is used to manage access to Azure resources, while an Azure AD role is used to manage access to Azure AD resources and features.
How can you manage custom roles in Azure RBAC?
You can manage custom roles in Azure RBAC by editing the role definition, modifying the role assignment, or removing the role assignment or role definition.
Creating custom roles in Azure is a real game-changer for our security posture.
Thanks for the great blog post!
Anyone having trouble with the JSON format when creating custom roles?
How does this differ from using predefined roles in Azure?
Appreciated, very helpful information!
In what scenarios should I consider using Azure AD roles over Azure roles?
Is there a limit to the number of custom roles you can create?
How do you monitor the usage of custom roles?