AZ-500 Microsoft Azure Security Engineer Associate Topic: Governance and Role-Based Access Control (RBAC)
December 14, 2022

1. Lecture: RBAC Overview

Naturally, one of the most important aspects of Azure is access management. Given that there’s so much infrastructure that we’re putting out in the public cloud, we need to find a way to secure it and lock it down so only the right people can access it and have the appropriate rights. And the way we do that is by using RBAC, also known as role-based access Access Control. And in Azure, the way it works is we have Azure Active Directory, so we create our users, our apps, and our groups.

You saw in the previous module about service principles that we can give an app, as well as a permission set, and then scope it. So we assign the apps, the users, and the groups to specific objects in Azure with a specific role. And the way that works as well is that there are a number of built-in roles in Azure. As an example, consider Owner. This one has full access to all resources, and it also includes the right to delegate access to others. Then we have the contributor role, which is similar to the owner role with the only difference being that it can’t grant access to other people. So it has all the permissions. In Azure, if you gave the Contributor right to someone in the subscription, they could still do everything in Azure, but they couldn’t give new access out. Then we have the reader role. And this is often used by monitoring tools and other third-party tools like that as well, where they can view existing resources but cannot perform any actions.

Maybe you have a managed service provider who only needs to read Access to Environment. That’s where the reader role comes in handy. And then there’s a whole host of other roles, and you can click the link here. Indeed, we have a summary on this page, and you can see that there are a variety of roles for things like automation operator, backup operator, backup reader, and so on. And so Microsoft has created this subset of roles to kind of match a lot of the things that you might do in your department. You know, virtual machine operators are a good example. You might just want to have a VM administrator from the operations side have a role on a specific resource group so they can manage those VMs. That’s a great example there. However, if you click on this link and scroll down, you will see a list of all those roles. And if you select one of them, we’ll just select “Contributor,” and it will show you all the various actions and not actions available for that role, which we will get into a little bit later on. But know that this page exists for you.

The next thing is, how do we define how the roles work? And you may have seen briefly on that page the concept of action. So the roles include various actions that people can perform. Essentially, they define what type of operation you can perform on a resource type and what actions you cannot perform. So there are no actions and actions that you have been granted; right allows you to perform put, post, patch, and delete operations on a resource. So think of it from a restrained stance. You can make arrest requests against the resource providers in Azure. If we’ve got write access, we can do all of these kinds of updates, posts, and so and et cetera.And Read enables us to perform just get operations, so we can do any get operation against any of those resource providers. You can use PowerShell to get the latest roles, so they’re certainly available on the Microsoft website. However, I strongly advise you to be familiar with the command get azure.rm role definition. You can simply type that in PowerShell against your subscription, and it will tell you all of the roles available to you there. Now, the resulting user rights are always a combination of the user plus the role.

So just think of it in this context. We’ve got our user, we’ve got our role with its various actions, and the resulting rights obviously overlap somewhere in the middle there, depending on what you scoped for that particular user. If none of the roles in the built-in list suit you, you can now create custom roles. And, in essence, these are just roles with your own actions, rather than actions available to you. Each tenant can have up to 2,000 roles associated with it. As previously stated, it employs the same actions and not actions. And you’ve still got assignable scopes that you need to define in the custom role. So as opposed to when we kind of show you in the demonstration how to assign a role to a specific area, when you define the custom role, which is a JSON template, you do give it an assignable scope as well. So this could be subscriptions, individual resources, or resource groups that you’ll allow this particular custom role to be assigned to. And if we look at one of these in Visual Studio code, you can kind of see the layout that we have here. So on top, we’ve got our name and our role. So I’m going to call this one Skylines VM operators, for example. We give it a description.

So in this case, this one can monitor and restart virtual machines. And if you look through the actions, all of them come from the resource provider. So things like Microsoft Storage are stars. So that’s everything in Microsoft Storage; we’ve got read, access everything in the network, read, access everything in compute, read, and access. And in addition, we’re given the option to start and restart virtual machines in the Compute section as well. Others include authorization subscription read access to Insight Alert rules, diagnostics, and support. And this is because it’s not just the virtual machine. We decided we wanted the user to be able to monitor as well. So they need these additional pieces. There are no not-actions in this example. And you can see the assignable scope concept there. In this case, it’s just a particular subscription that this role is allowed to be assigned to. So hopefully, that gives you an overview of the roles in Azure. And I encourage you to kind of just put this into practise and do this in the upcoming demo.

2. Demo: Implement Role-Based Access

And in the portal, the first thing we need to do is navigate to Azure Active Directory on the left hand side and look at the users we have. If we select Users, you can see I’ve got two users there plus a built-in user. So. Nick Collier, Brett Bossik These are two member users in Azure Active Directory. Go back; we can also see groups, and if we want to, we can create a new group and include various users in that group.

So this way, if we want to grant permissions to lots of people, we don’t need to go and do it on an individual basis. We can create a group type. So choose a security group and give us the group name “Skylines Readers.” So, this is Readersoni, and you should select the membership type that has been assigned to you. And in this case, I’m just going to select Brett as the user I’m going to assign to this group. So that’s done. Go ahead and create that group. It takes a few seconds, and that’s completed. And now we want to go about assigning permissions to that user or group for resources, and we can do this at a couple of levels. So first of all, we’ll go to the subscription by typing “subscription” at the top and selecting, in this case, the “My Page You Go” subscription that we’re using for these demos. And you’ll see this tab appear on almost every service in Azure, which is IAM, Access Controls, Identity, and Access Management. And if we go in there, you can see that we already have our users there, and we’re owners of the subscription already.

So we’re not going to fully create the read-writes because, like I said, we’re already owners. But if we select Add, we can choose the role. So in this case, if I wanted to choose Reader, I could simply select that. Or if I wanted to choose one of the other built-in roles that we talked about in the tutorial, they’re all here ready for you to use, but we’re going to choose reader on this occasion. And then I can assign access to an ad, user, group, or application. But no, I can also assign access to a virtual machine if I want to. Then I simply chose the people I wanted to grant access to so that I could select them by name. And you can also see that the group appears there. So I could simply select Skyline Readers and assign read access to the subscription to everybody in that group. And that’s basically it from a scoping point of view.

You can go and do this. If I discard the subscription level and let’s say I want to go and do this at the resource group, I can simply select a resource group, pick CellIdentity, and again, you’ve got that tab, Access Control. Go in and click Add on the top, and again, the same screen appears. I can select my role and read it; that’s what I wanted. and choose who I want to assign it to or the group of people that I want to assign it to. and that’s pretty much all there is to it. Like I said in the tutorials, if you want, you can create a custom role, and then, if we cancel out a permission, we would see those roles appear in our roles list. Then we’d do the same thing as before: we’d assign the custom role in the same way we’d assign a built-in role. It will just show up in the list now that we’ve created the custom role. And with that, this concludes this demonstration on role-based access.

3. Lecture: Azure Policy

One of the questions I get a lot from customers and anybody who uses Azure in general is just around governance and how they restrict things. How do we make sure people can’t make mistakes in the environment? And Azure policies are really a tool that allows us to enforce governance. We can say, “This is our policy around Azure,” and we want to enforce it so nobody can go outside the boundaries we’ve set in the portal or just via their Arm templates as well. And so Azure policies allow us to do that. They are either pre-programmed or custom-coded.

So you’ll see in the demonstration that there are a number of built-in policies you can simply apply, or you can go ahead and custom code one yourself, or just look on GitHub and see what the community has to offer. Now, they can be assigned to subscriptions as a whole, so they’ll affect everything in the subscription, or they can be more granularly assigned to specific resource groups. So if we’ve only given somebody permissions in a resource group and we want to put some policy around that specific resource group, we can do that as well. The way we do this is we first create the policy, and then we assign it. So when you look in the Azure Portal, or if you do it via PowerShell, you’ll create the policy first, and then you’ll scope it to those specific subscriptions or resource groups.

4. Demo: Implement Azure Region Policy

And simply choose an existing resource group or create a new one to experiment with. I’ll just pick one from a previous demonstration, and Policies can be found on the righthand side under settings. If we select Policies, we have the choice of Assignments or Policies, and we’ll get to Assignments in a moment. But first, let’s select Policies and see what’s available. These are all the built-in policies, including ones that are in preview, and if we scroll through these, you’ll see various ones like the apply tag and its default value.

Not allowing specific storage SKUs, not allowing specific virtual machine SKUs The one we want for this demonstration is “allowed locations,” and if we select that, we will see the details along with the JSON tab so we can actually copy this. I’m going to take it over to Visual Studio Code so you can see it a little better. We’ll paste it in there and change it from plain text to JSON, and you’ll see that the way the syntax works is with a bunch of if conditions. So if field location is not in the parameters that we’re going to pass in, When you see us do the assignment, it becomes effectuated, so you can see very quickly that you can grab some of these and start to construct your own policy templates if you want to. But let’s say we like this as is and want to go ahead and apply it. Let’s go back to the portal and go to Assignments. I’m going to zoom in a little here and select Add, and what will come up is our Add assignment screen, and we can select Policy first of all. So in our case, if we scroll all the way to the bottom again, we should see it here, in the allowed locations.

And now I simply need to select the locations I want so I can open up this dropdown, and I’m going to choose only the North Central US. everything else I wanted to deny. I’ll go give it a few more things. Again, the goal is to reduce arm counts, but for now, I’ll just call it Skyline North Central oni, and we’ll just give it a basic ID and hit okay. And that assignment is now created; it only takes about a second for it to complete successfully. And if I go to the top of my resource group, I’ll try to deploy a new resource into it, so we’ll add something like a storage account; let’s give it a basic name and scroll down. We’ll keep all the defaults for the storage account. We’ll say use existing for our resource group and select so many arm counts, and we’ll change the region. We’ll select West Central United States and generate some validation errors. Let’s select those, and you can see that the error type is “template deployment failed because of a policy violation,” and the details of the policy are there. so you can see very quickly. This is a great way to enforce some very quick governance for your Azure environment if you just want to put controls in place, if you don’t want anyone putting data in other countries, if you want to make sure everything stays in your locations, and if you want to restrict those large virtual machine types. 

5. Demo: Subscription Policies

In this demonstration, we’re now going to take a look at subscription policies, which are a way to enforce what you can do with your subscriptions. In this demonstration, we’re now going to shift our attention to subscription policies, which are a mechanism to control what people can do inside of your subscription. So, to begin with, head over to the Azure Portal. Okay. And here I am in the Azure Portal. And one of the things to note, first of all, is that in the previous demonstrations I was using an atrial account to kind of show you everything. At this point, I have shifted over to one of my other accounts. So don’t worry; everything will still proceed as normal. But you will see from time to time that I’m using different Azure accounts as I’m trying to demo things.

But nothing to be alarmed at. In your current account, you should be able to do everything you want. To begin, though, I’m going to go over the subscriptions, just like you saw when you created your trial account. But in my case right now, I’ve got Visual Studio Enterprise. And in some other demos, you’ll see I have other subscriptions as well. But for right now, I’m going to use my VisualStudio Enterprise account and I’m going to go in here. And if we scroll down on the left-hand side, you’ll see a section called Policies. And this is where we want to focus this demonstration on.If we click Policies on the right side, we can see that everything is currently 100% compliant. And that’s ultimately because I don’t have a lot of policies and a lot of resources right now in my subscription. But the key thing at the top here is—as you can see—that I can assign policies. So, if I click the “Policy” box, the next screen will prompt me to select my scope.

So this is where I want to assign the policy. In my case, I just want to choose the subscription. I don’t need to exclude any specific resources from this assignment. So I’m saying that I want to apply policy to everything in this subscription called VisualStudio Enterprise. Well, again, what is our policy? And this is where you create a definition for your policy. You can also use one that is already built in. So you can click the little box to the right, and this will open up all the different policy definitions. In fact, there are 144 right now available to you. You can create these as JSON templates and put them in here as well. This is where Microsoft has massively expanded its policies because they’ve taken all the best practises from lots of enterprises out there. But in your case, let’s look at a few of these real quick. So, what if I wanted to set a policy for the deployment of the log analytics agent for Linux VMs, ensuring that it’s properly configured? Let’s take a quick look at a few of these. Scrolling down, you’ll see things like auditing VMs that don’t use managed disk, which you’ll learn about in the Virtual Machine section; ensuring you have Loganalytics agents for your Windows and Linux VMs; and so on. Things like disc encryption are here as well for storage accounts, and you can order transparent data encryption status for services like SQL databases. These are all good examples, but if I go back to the top of this and search by filter with “built in” and then choose “Allowed,” you can see there are a number of policy definitions that are actually quite common.

Things like prohibited resource types and permitted storage account SKUs Allowed resource types, with these two being the most popular. Allowed virtual machine SKUs and allowed locations So I can say, for example, that I only want to allow specific SKUs for virtual machines. I don’t want to allow very large virtual machines because they could be prohibitively expensive. So I can choose from the allowed virtual machine SKUs and click select. The policy definition is filled in; you can see the assignment name, “Allowed Virtual Machine SKUs.” You can change that if you want to. And if I scroll further down, you can see the description signed by, and here is where I put in the parameters for that policy template. So right now, zero is selected. If I click the drop-down menu, I can now choose the Virtual Machine SKUs that I want to allow in the subscription. So I could choose just the basic A, zero, A, one, or whatever I want. Maybe I want to choose all the D series. Again, you’ll learn more about these in the Virtual Machine section if you haven’t already jumped ahead and covered that. However, I can select the D series, which are the most common, and so on.

So just go ahead and select the ones that you would want to allow. I can also choose to use a managed identity, which you’ll learn more about in the Identity section later on as well. But with that, if I’m happy with everything, I can go ahead and click Assign. And now that that policy has been created, I will only be able to deploy machines in the subscription that match that specific SKU type. And you’ll see when you create virtual machines. If I tried to then go and build a virtual machine that was perhaps an F or G series, it would simply error out during the build process. And if I wanted to fix it, I would need to go back in here to this Allowed Virtual Machines policy and basically delete that assignment if I wanted to get rid of it or edit it; if I wanted to just add additional SKU types, I could edit it. And this is very important because, in the enterprise, you probably want to start off with a certain amount of SKUs that you allow, particularly if you’re early on in your Azure journey. Again, maybe the A series, the D series, et cetera. And then, as needed, you might allow certain teams access to those very large machines, perhaps the M series of giant memory virtual machines. You could have then allowed them access to them by assigning a policy that allowed them access to that. And perhaps you assign that policy to a specific resource group. Perhaps you don’t assign it to a whole subscription.

So you get kind of creative as you work through these. The last thing to mention, which isn’t strictly covered in the exam scope yet, is the concept of management groups. And all that means is you can take policies that you’ve assigned to different subscriptions, and instead of going to every single subscription and creating the policy and assigning it, you can essentially assign it to a management group that contains multiple subscriptions. So if you said, “Okay, I’ve got 100 subscriptions across the enterprise, and I want the same policy applied,” you would then go ahead and create a management group for that and assign the policy that way. So that’s a future discussion, but just something you need to be aware of as well. And with that, this concludes the demonstration. I highly encourage you to go in here and play with these, and then try to provide things against the rules that you have. But make sure that if you don’t need that assignment in the future, you delete it. You’ll run into various problems later on.

6. Lecture: Azure Resource Locks

One of the features Azure provides to prevent accidental resource deletion is the use of resource locks. And these are essentially just a mechanism for locking down resources that we want to have that extra layer of protection before they can be deleted. So, for example, when we delete resource groups and storage accounts, we just go in and delete them. Often we have to type in a name or something else to actually delete it. But a resource lock creates this additional layer that we have to kind of remove first before we can delete the resource group.

And there are two options available. One is not deleteable, and this is authorised users’ ability to read and modify but not delete the resources, so they can make changes to them but not actually delete anything read-only. Authorized users can read the resource but cannot update or delete it. So the one that’s actually most restrictive is read-only because it’s read-only. You can’t change or remove any of the sources in there, owner. Cannot delete. You can’t delete them, but you could still make modifications to them. So a lot of people often think that “cannot delete” is the most restrictive, but no, it’s actually redundant. So if you just want to make sure no one touches it at all and modifies it, use the read on the resource lock, and you’ll see how to configure these in the upcoming demo. You.

7. Demo: Implement a Resource Lock

We’re just going to pick a resource group. So in my case, I’m using slash arm counts. This is one from a previous demo that we’re going to delete eventually, but for now we’re going to test it out with the lock. And you can see that this resource group has five storage accounts in it. So we don’t want it deleted just yet. We’ll hit the lock section, and we’ll go in and click Add. Give the lock a name and choose the lock type. Now, if you remember from the tutorial, read-only is the most restrictive, but in my case, I’m just going to use the delete lock for this occasion. Select okay, and you can see that lock is now available in the resource group.

 If we scroll back up to the top and I attempt to delete this resource group, so I’ll type in the name that it prompts me with as per normal, and I hit delete immediately, we get that error saying the resource group SLRM count is locked and can’t be deleted. And if I go back in and remove that lock, the resource has no locks. Now go back to the overview, delete the resource group, and at this point it’s going to hopefully delete all of those storage accounts in there if all goes well, and you can see it didn’t come up with an error this time. So it’s now in the process of simply deleting a resource group and everything that was inside it. And with that, it concludes this demonstration, and hopefully that gives you a quick insight into resource locks and how easily you can just apply them to your resources in Azure that you want to protect. You probably get one or two questions on the exam about this: “How would I protect resources?” And there are obviously different mechanisms than those we’ve covered so far in this module.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!