Skip to content

Latest commit

 

History

History
279 lines (204 loc) · 11.5 KB

tutorial-role-assignments-user-powershell.md

File metadata and controls

279 lines (204 loc) · 11.5 KB
title description services documentationCenter author manager editor ms.service ms.devlang ms.topic ms.tgt_pltfrm ms.workload ms.date ms.author
Tutorial - Grant access for a user using RBAC and Azure PowerShell | Microsoft Docs
Use role-based access control (RBAC) to grant a user access to view everything in a subscription and manage everything in a resource group using Azure PowerShell.
active-directory
rolyon
mtillman
role-based-access-control
tutorial
identity
06/11/2018
rolyon

Tutorial: Grant access for a user using RBAC and Azure PowerShell

Role-based access control (RBAC) is the way that you manage access to resources in Azure. In this tutorial, you grant a user access to view everything in a subscription and manage everything in a resource group using Azure PowerShell.

In this tutorial, you learn how to:

[!div class="checklist"]

  • Grant access for a user at different scopes
  • List access
  • Remove access

If you don't have an Azure subscription, create a free account before you begin.

Prerequisites

To complete this tutorial, you will need:

  • Permissions to create users in Azure Active Directory (or have an existing user)
  • Azure Cloud Shell

Role assignments

In RBAC, to grant access, you create a role assignment. A role assignment consists of three elements: security principal, role definition, and scope. Here are the two role assignments you will perform in this tutorial:

Security principal Role definition Scope
User
(RBAC Tutorial User)		 Reader Subscription
User
(RBAC Tutorial User)		 Contributor Resource group
(rbac-tutorial-resource-group)

Role assignments for a user

Create a user

To assign a role, you need a user, group, or service principal. If you don't already have a user, you can create one.

  1. In Azure Cloud Shell, create a password that complies with your password complexity requirements.

    $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = "Password"

  2. Create a new user for your domain using the New-AzureADUser command.

    New-AzureADUser -DisplayName "RBAC Tutorial User" -PasswordProfile $PasswordProfile `
  -UserPrincipalName "[email protected]" -AccountEnabled $true -MailNickName "rbacuser"

    ObjectId                             DisplayName        UserPrincipalName    UserType
--------                             -----------        -----------------    --------
11111111-1111-1111-1111-111111111111 RBAC Tutorial User [email protected] Member

Create a resource group

You use a resource group to show how to assign a role at a resource group scope.

  1. Get a list of region locations using the Get-AzureRmLocation command.

    Get-AzureRmLocation | select Location

  2. Select a location near you and assign it to a variable.

    $location = "westus"

  3. Create a new resource group using the New-AzureRmResourceGroup command.

    New-AzureRmResourceGroup -Name "rbac-tutorial-resource-group" -Location $location

    ResourceGroupName : rbac-tutorial-resource-group
Location          : westus
ProvisioningState : Succeeded
Tags              :
ResourceId        : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rbac-tutorial-resource-group

Grant access

To grant access for the user, you use the New-AzureRmRoleAssignment command to assign a role. You must specify the security principal, role definition, and scope.

  1. Get the ID of your subscription using the Get-AzureRmSubscription command.

    Get-AzureRmSubscription

    Name     : Pay-As-You-Go
Id       : 00000000-0000-0000-0000-000000000000
TenantId : 22222222-2222-2222-2222-222222222222
State    : Enabled

  2. Save the subscription scope in a variable.

    $subScope = "/subscriptions/00000000-0000-0000-0000-000000000000"

  3. Assign the Reader role to the user at the subscription scope.

    New-AzureRmRoleAssignment -SignInName [email protected] `
  -RoleDefinitionName "Reader" `
  -Scope $subScope

    RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/44444444-4444-4444-4444-444444444444
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
DisplayName        : RBAC Tutorial User
SignInName         : [email protected]
RoleDefinitionName : Reader
RoleDefinitionId   : acdd72a7-3385-48ef-bd42-f606fba81ae7
ObjectId           : 11111111-1111-1111-1111-111111111111
ObjectType         : User
CanDelegate        : False

  4. Assign the Contributor role to the user at the resource group scope.

    New-AzureRmRoleAssignment -SignInName [email protected] `
  -RoleDefinitionName "Contributor" `
  -ResourceGroupName "rbac-tutorial-resource-group"

    RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rbac-tutorial-resource-group/providers/Microsoft.Authorization/roleAssignments/33333333-3333-3333-3333-333333333333
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rbac-tutorial-resource-group
DisplayName        : RBAC Tutorial User
SignInName         : [email protected]
RoleDefinitionName : Contributor
RoleDefinitionId   : b24988ac-6180-42a0-ab88-20f7382dd24c
ObjectId           : 11111111-1111-1111-1111-111111111111
ObjectType         : User
CanDelegate        : False

List access

  1. To verify the access for the subscription, use the Get-AzureRmRoleAssignment command to list the role assignments.

    Get-AzureRmRoleAssignment -SignInName [email protected] -Scope $subScope

    RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/22222222-2222-2222-2222-222222222222
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
DisplayName        : RBAC Tutorial User
SignInName         : [email protected]
RoleDefinitionName : Reader
RoleDefinitionId   : acdd72a7-3385-48ef-bd42-f606fba81ae7
ObjectId           : 11111111-1111-1111-1111-111111111111
ObjectType         : User
CanDelegate        : False

    In the output, you can see that the Reader role has been assigned to the RBAC Tutorial User at the subscription scope.

  2. To verify the access for the resource group, use the Get-AzureRmRoleAssignment command to list the role assignments.

    Get-AzureRmRoleAssignment -SignInName [email protected] -ResourceGroupName "rbac-tutorial-resource-group"

    RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rbac-tutorial-resource-group/providers/Microsoft.Authorization/roleAssignments/33333333-3333-3333-3333-333333333333
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rbac-tutorial-resource-group
DisplayName        : RBAC Tutorial User
SignInName         : [email protected]
RoleDefinitionName : Contributor
RoleDefinitionId   : b24988ac-6180-42a0-ab88-20f7382dd24c
ObjectId           : 11111111-1111-1111-1111-111111111111
ObjectType         : User
CanDelegate        : False

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/22222222-2222-2222-2222-222222222222
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
DisplayName        : RBAC Tutorial User
SignInName         : [email protected]
RoleDefinitionName : Reader
RoleDefinitionId   : acdd72a7-3385-48ef-bd42-f606fba81ae7
ObjectId           : 11111111-1111-1111-1111-111111111111
ObjectType         : User
CanDelegate        : False

    In the output, you can see that both the Contributor and Reader roles have been assigned to the RBAC Tutorial User. The Contributor role is at the rbac-tutorial-resource-group scope and the Reader role is inherited at the subscription scope.

(Optional) List access using the Azure Portal

  1. To see how the role assignments look in the Azure portal, view the Access control (IAM) blade for the subscription.

    Role assignments for a user at subscription scope

  2. View the Access control (IAM) blade for the resource group.

    Role assignments for a user at resource group scope

Remove access

To remove access for users, groups, and applications, use Remove-AzureRmRoleAssignment to remove a role assignment.

  1. Use the following command to remove the Contributor role assignment for the user at the resource group scope.

    Remove-AzureRmRoleAssignment -SignInName [email protected] `
  -RoleDefinitionName "Contributor" `
  -ResourceGroupName "rbac-tutorial-resource-group"

  2. Use the following command to remove the Reader role assignment for the user at the subscription scope.

    Remove-AzureRmRoleAssignment -SignInName [email protected] `
  -RoleDefinitionName "Reader" `
  -Scope $subScope

Clean up resources

To clean up the resources created by this tutorial, delete the resource group and the user.

  1. Delete the resource group using the Remove-AzureRmResourceGroup command.

    Remove-AzureRmResourceGroup -Name "rbac-tutorial-resource-group"

    Confirm
Are you sure you want to remove resource group 'rbac-tutorial-resource-group'
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"):

  2. When asked to confirm, type Y. It will take a few seconds to delete.

  3. Delete the user using the Remove-AzureADUser command.

    Remove-AzureADUser -ObjectId "[email protected]"

Next steps

[!div class="nextstepaction"] Manage access using RBAC and PowerShell