- Microsoft 365 Security Administration:MS-500 Exam Guide
- Peter Rising
- 1441字
- 2021-06-18 18:57:33
Planning, configuring, and monitoring RBAC
RBAC is system that provides very specific access management capabilities to Azure resources. It enables Microsoft 365 administrators to manage access to these resources, the actions the users can take, and what resources are accessible to them.
You can configure RBAC from multiple locations within the Azure portal. RBAC is presented in the form of the Access Control (IAM) pane when accessed from an Azure Visual Studio subscription, as shown in the following screenshot:
Let's look at some key planning considerations when implementing RBAC.
Planning RBAC
When we are planning to assign RBAC permissions to users within Azure AD, you first need to understand Role Assignments. From the Access Control (IAM) pane, you have the choice of adding role assignments, viewing existing role assignments, and viewing deny assignments. The following screenshot shows these choices for role assignment:
We can choose to add a new role assignment by clicking Add | Add role assignment:
Click the Role drop-down box. You will see a list of roles that are available for assignment:
So, how does this help us with planning for RBAC? There are three key questions you need to answer when doing this:
- Who needs access?
- What do they need to access?
- What permissions do they need?
When you have the answers to these questions, you will be able to effectively plan the correct RBAC role assignment settings. In the example shown here, where we wish to grant access to a Visual Studio subscription, we can use RBAC to do things such as the following:
- Grant a user access to the Billing Reader role for the subscription.
- Grant a group access to the SQL DB Contributor role so they can manage SQL databases.
- Grant an application access to all resources within a resource group.
RBAC enables you to grant explicit access to your users with the principle of least privilege, which means they will have only the access required to do their jobs. This granular level of access removes the requirement to assign more established roles to users that include features they may not require, and for which they are not authorized.
How role assignments work
Role assignments consist of three components:
- Security principal: This is the requesting party, which can be a user, group, service principal, or managed identity, as illustrated in the following diagram:
- Role definition: A set of permissions that defines the actions that can be performed by the security principal (such as read, write, or delete). Role definitions are also known as roles and there are many built-in roles that can be used, such as Owner, Contributor, and Reader. The following diagram illustrates the concept of Role definition:
- Scope: The scope can be defined as the resources to which access will be granted. An example would be assigning contributor access to a user for a specific resource group. The following diagram shows how the scope process works:
Now that you understand the steps required to plan for RBAC, we can examine the process of configuring RBAC.
Configuring RBAC
Now that you understand what RBAC does and the principles of role assignments, you can start to configure role assignments with RBAC for your users. Role assignments can be added or removed in the Azure portal by using the Access Control (IAM) pane.
Important note
In order to configure role assignments, you will need to have User Access Administrator or Owner permissions.
In the following example, we will configure a user so that they can log in to a VM in Azure. Here are their details:
- User: James Smith
- Resource: A VM called chrysalis03
To provide our user with the access they require to the VM, we need to take the following steps:
- Log in to the Azure portal and navigate to All resources | chrysalis03.
- Now, we need to select Access Control (IAM). The following screen will appear:
- If you click on Roles, you will see all the roles available for this resource:
- Next, click on Add and then Add Role Assignment.
- Under Role, choose Select a role, scroll down, and choose Virtual Machine User Login.
- Under the Assign access to option, we need to leave this set as Azure AD user, group, or service principal as we wish to assign this resource to a user.
- Finally, in the Select box, we need to type in the person's username and select it. You should then see something like this:
- Click Save.
- Now that we have created our role assignment, we can view it by clicking Role Assignments, as shown here:
- We can easily remove the role assignment should we need to by selecting it and clicking on Remove.
- From the Access Control (IAM) pane, we also have the options to Check access and configure Deny Assignments.
- We have now successfully configured a role assignment for our user to enable them to access the resources they need using RBAC.
Managing RBAC using PowerShell
It is also possible to configure settings for RBAC using PowerShell. To do this, you will need one of the following:
- PowerShell in the Azure Cloud Shell
- Azure PowerShell
The easiest way to connect to Azure PowerShell is to launch it directly from the Azure portal from the Cloud Shell button on the top bar, as shown here:
Selecting the Cloud Shell button will immediately open the shell at the bottom of the screen, as shown in the following screenshot:
Once you are connected to Azure PowerShell, you can get a list of the available RBAC roles by typing the following:
Get-AzRoleDefinition
This returns a complete list of the available roles, as shown in the following screenshot:
In the previous section, we used the Azure portal to grant the user, James Smith, access to the Virtual Machine User Login role. Using the Azure Cloud Shell, we can enter the following command to verify that this role was assigned successfully:
Get-AzRoleAssignment -SignInName james.smith@chrysalishtech.onmicrosoft.com
From the following screenshot, we can see that it was assigned successfully:
Instead of using the Azure portal to set the role for our user, we could have done the same from the Azure Cloud Shell by entering the following command:
New-AzRoleAssignment -SignInName james.smith@chrysalistech.onmicrosoft.com -RoleDefinitionName "Virtual Machine User Login"
As we have already set this role via the Azure portal for James Smith, the following screenshot shows the command that's used to activate the same role for another of our tenant users, Jane Bloggs, using the Azure Cloud Shell:
Important note
Further information about using PowerShell to configure RBAC can be found in the References section at the end of this chapter.
Monitoring RBAC
From a security standpoint, it is extremely important for Azure AD administrators to regularly monitor for any changes that have been made to RBAC role assignments in Azure AD subscriptions. Whenever such a change is made, it is recorded and logged in the Azure Activity Log. The changes that can be viewed in this log are only available for the previous 90 days.
The logs enable you to see when a role assignment (built-in or custom created) has been created or deleted.
The simplest way to view the Azure Activity Log is from within the Azure portal. As shown in the following screenshot, we can see the role assignment we created earlier in this chapter to grant our user, James Smith, the role of Virtual Machine User Login:
If we drill down further, we will be able to see more details of this log event, which includes the following sections:
- Summary
- JSON
- Change history (Preview)
You will see these details displayed as follows:
The activity log results may be filtered as required, and also downloaded to a .csv file.
Important note
Azure PowerShell and Azure CLI may also be used to monitor RBAC. Further information on this may be found in the References section at the end of this chapter.
Now that we have introduced you to the principles of RBAC, we will spend the rest of this chapter looking at Privileged Identity Management in Azure AD.