role assignment in azure

RBAC in Azure: A Practical Guide

What is azure rbac.

Azure role-based access control (Azure RBAC) enables access management for Azure resources. It’s an authorization system built into the Azure Resource Manager. You can use Azure RBAC to define which specific users should be allowed access to Azure cloud resources and assign a set of privileges for each user group. Let’s learn more about the specifics.

Azure RBAC vs Azure ABAC

As mentioned earlier, Azure RBAC allows you to manage access to Azure resources, defining what users can do with resources and their access areas. It lets you use role definitions and role assignments to control access. However, it does not offer fine-grained access management and can be difficult when managing hundreds of role assignments.

Azure attribute-based access control (ABAC) works differently.

Azure ABAC allows you to add role assignment conditions to achieve fine-grained access control. It builds on Azure RBAC, letting you add attributes for specific actions. Each role assignment condition provides an additional, optional check to a role assignment. Once you set it up, the condition can filter down permissions provisioned as a part of the role definition and assignment.

Azure RBAC Concepts

Azure rbac roles.

In Azure RBAC, a role definition is a set of permissions (role). It defines users’ actions, such as write, delete, and read. You can define high-level roles, such as an owner, or specific roles, such as a virtual machine (VM) reader.

Azure provides various built-in roles, including a virtual machine contributor role that allows users to create and manage VMs. If the built-in roles do not satisfy your requirements, you can also define Azure custom roles. You can use data actions to grant access to data stored in a specific object.

The term scope refers to a set of resources with specific access. It enables you to grant the relevant security principal to a certain role. Limiting the scope means limiting the scope of resources at risk if the security principal is compromised.

Azure RBAC lets you specify a scope at four levels, including a management group level, a subscription level, a resource group level, and a resource level. Azure structures scopes in a parent-child relationship, with each hierarchy level making the scope more specific. It lets you assign roles at any of the four levels. However, note that the level you choose determines how the role is applied.

Azure also lets you use management groups, a level of scope above subscriptions. However, management groups support complex hierarchies. The diagram below illustrates an example of a hierarchy of management groups and subscriptions.

Role Assignments

Role assignments enable you to attach role definitions to specific users, groups, service principals, or managed identities at a certain scope. When creating a role assignment, you grant specific access, and removing the assignment revokes this access.

Here is a diagram that illustrates an example of a role assignment:

This example assigns a contributor role to the marketing group—only for the pharma-sales resource group. It enables all users in the marketing group to create or manage Azure resources in the pharma-sales resource group. However, it does not provide marketing users with access to resources external to the pharma-sales resource group.

Azure Groups

Role assignments are transitive for groups, allowing users to gain permissions assigned to groups. If user A is a member of group B and group B is a member of group C with its own role assignment, user A gets the permissions in group C’s role assignment.

Azure RBAC uses an additive model to prevent issues when users get several overlapping role assignments. You can see an example of this principle in the image below. A certain user is granted a reader role by a resource group and a contributor role at the subscription level. The sum of the reader and contributor permissions is the contributor role. The reader role assignment has no impact.

Best Practices for Azure RBAC

Only grant the access users need.

With Azure RBAC, you can create isolation between different teams, granting each team only the access they need to get the job done.

Instead of granting unlimited permissions to everyone with an Azure subscription or resource, you can only allow specific actions within specific scopes. Avoid assigning broad roles, even if they seem more convenient at first. When you create a custom role, include only the permissions your users need. This ensures that there’s less risk if a principal account is compromised.

The following diagram shows the recommended pattern for granting permissions in Azure RBAC.

Use Azure AD Privileged Identity Management

To protect privileged accounts from malicious cyberattacks, Azure Active Directory Privileged Identity Management (PIM) can be used to reduce privilege issuance time and improve visibility through reports and alerts. PIM helps protect privileged accounts by providing temporary privileged access to Azure AD and Azure resources. Access is time-limited, after which privileges are automatically revoked.

Assign Roles Using Unique Role ID Instead of the Role Name

Role names may change over time, but the role ID always stays the same. Some common examples of changes to role names is when you are using your own custom role and decide to change the name, or when you are using a preview role that has (Preview) in the name. When the role is released from preview, it is automatically renamed.

To ensure consistency over time, it is a good idea to always assign users to a role ID when assigning roles using scripting or automation. This way, scripts won’t break if the name changes in the future.

Assign Roles to Groups and Limit Subscription Owners

To make it easier to manage role assignments, do not assign roles directly to users. Instead, assign roles to groups. Assigning roles to groups instead of users minimizes the number of role assignments. Note that Azure imposes restrictions on the total role assignments allowed per subscription.

Microsoft recommends having a maximum of 3 owners for each Azure subscription, to reduce the likelihood of a breach by a compromised or malicious insider.

Cloud RBAC with Frontegg

Frontegg provides out of the box RBAC model implementation. Customers can now create their own roles and permissions which represent their product models and use cases. Additionally, Frontegg empowers the end users to create custom roles to represent their permissions model, without having to change a single line of code in the product. Sounds too good to be true? Try it out now.

Looking to take your User Management to the next level?

Rate this post

4.8 / 5. 1355

No reviews yet

Full Solution, Easy Migration

Privacy overview.

Azure RBAC: role assignments and ARM templates

This post is about Azure's role assignments and ARM templates. Role assignments can be thought of as "permissions for Azure".

If you're deploying to Azure, there's a good chance you're using ARM templates to do so. Once you've got past "Hello World", you'll probably find yourself in a situation when you're deploying multiple types of resource to make your solution. For instance, you may be deploying an App Service alongside Key Vault and Storage .

One of the hardest things when it comes to deploying software and having it work, is permissions. Without adequate permissions configured, the most beautiful code can do nothing . Incidentally, this is a good thing. We're deploying to the web; many people are there, not all good. As a different kind of web-head once said:

Spider-man saying with great power, comes great responsibility

Azure has great power and suggests you use it wisely .

Access management for cloud resources is critical for any organization that uses the cloud. Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. Designating groups or individual roles responsible for specific functions in Azure helps avoid confusion that can lead to human and automation errors that create security risks. Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access.

This is good advice. With that in mind, how can we ensure that the different resources we're deploying to Azure can talk to one another?

Role (up for your) assignments

The answer is roles. There's a number of roles that exist in Azure that can be assigned to users, groups, service principals and managed identities. In our own case we're using managed identity for our resources. What we can do is use "role assignments" to give our managed identity access to given resources. Arturo Lucatero gives a great short explanation of this:

Whilst this explanation is delightfully simple, the actual implementation when it comes to ARM templates is a little more involved. Because now it's time to talk "magic" GUIDs. Consider the following truncated ARM template, which gives our managed identity (and hence our App Service which uses this identity) access to Key Vault and Storage:

Let's take a look at these three variables:

The three variables above contain the subscription resource ids for the roles Storage Blob Data Contributor , Key Vault Secrets Officer and Key Vault Crypto Officer . The first question on your mind is likely: "what is ba92f5b4-2d11-453d-a403-e96b0029c9fe and where does it come from?" Great question! Well, each of these GUIDs represents a built-in role in Azure RBAC. The ba92f5b4-2d11-453d-a403-e96b0029c9fe represents the Storage Blob Data Contributor role.

How can I look these up? Well, there's two ways; there's an article which documents them here or you could crack open the Cloud Shell and look up a role by GUID like so:

Or by name like so:

As you can see, the Actions section of the output above (and in even more detail on the linked article ) provides information about what the different roles can do. So if you're looking to enable one Azure resource to talk to another, you should be able to refer to these to identify a role that you might want to use.

Creating a role assignment

So now we understand how you identify the roles in question, let's take the final leap and look at assigning those roles to our managed identity. For each role assignment, you'll need a roleAssignments resource defined that looks like this:

Let's go through the above, significant property by significant property (it's also worth checking the official reference here ):

type - the type of role assignment we want to create, for a key vault it's "Microsoft.KeyVault/vaults/providers/roleAssignments" , for storage it's "Microsoft.Storage/storageAccounts/providers/roleAssignments" . The pattern is that it's the resource type, followed by "/providers/roleAssignments" .
dependsOn - before we can create a role assignment, we need the service principal we desire to permission (in our case a managed identity) to exist
properties.roleDefinitionId - the role that we're assigning, provided as an id. So for this example it's the keyVaultCryptoOfficer variable, which was earlier defined as [subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')] . (Note the use of the GUID)
properties.principalId - the id of the principal we're adding permissions for. In our case this is a managed identity (a type of service principal).
properties.scope - we're modifying another resource; our key vault isn't defined in this ARM template and we want to specify the resource we're granting permissions to.
properties.principalType - the type of principal that we're creating an assignment for; in our this is "ServicePrincipal" - our managed identity.

There is an alternate approach that you can use where the type is "Microsoft.Authorization/roleAssignments" . Whilst this also works, it displayed errors in the Azure tooling for VS Code . As such, we've opted not to use that approach in our ARM templates.

Many thanks to the awesome John McCormick who wrangled permissions with me until we bent Azure RBAC to our will.

Role (up for your) assignments
Creating a role assignment

Manage Azure Role Assignments Like a Pro with PowerShell

Azure Governance Future Trends and Predictions - AzureIs.Fun

Today’s blog post is a little bit different. I have a couple of examples of how you can use PowerShell snippets and simple commandlets to get or set role assignmnets in your Azure Subscriptions.

PowerShell examples for managing Azure Role assignments

List all role assignments in a subscription, get all role assignments for a specific resource group, get all role assignments for a specific user, add a role assignment to a user, remove a role assignment for a user, remove all role assignments for a specific user, list all built-in roles, list all custom roles, create a custom role, update a custom role, delete a custom role, list all users or groups assigned to a specific role, list all permissions granted by a specific role, list all resource groups that a user has access to, create a role assignment for a service principal, powershell script to manage azure role assignments.

And now there is a script that combines some of these examples into one usable function:

I hope this was useful. Let me know if you liked the format of this blog and if you want me to include more of these examples.

Vukasin Terzic

Recent Update

Writing your first Azure Terraform Configuration
Transition from ARM Templates to Terraform with AI
Getting started with Terraform for Azure
Terraform Configuration Essentials: File Types, State Management, and Provider Selection
Dynamically Managing Azure NSG Rules with PowerShell

Trending Tags

Retrieve azure resource group cost with powershell api.

The Future Of Azure Governance: Trends and Predictions

Azure Cost Optimization: 30 Ways to Save Money and Increase Efficiency

As organizations continue to migrate their applications and workloads to the cloud, managing and controlling cloud costs has become an increasingly critical issue. While Azure provides a robust s...

Custom PowerShell API for Azure Naming Policy

To continue our PowerShell API series, we have another example of a highly useful API that you can integrate into your environment. Choosing names for Azure resources can be a challenging task. ...

Azure Role Assignments with Constraints

If you’ve worked in Azure, you have definitely come across managing access using Role Based Access Control (RBAC) and have been met with different challenges. Until recently, the RBAC model in Azure has been missing a key piece: the ability to enforce constraints on the delegation of role assignments. This missing piece has led to a less than ideal user experience for those managing Azure resources. Fortunately, Azure Role Assignments with Constraints is here, hopefully providing the missing piece to a complete RBAC model in Azure. With this new feature, IT administrators and stakeholders can now easily and securely manage access to Azure resources, greatly improving the experience for all parties.

Role based access control

In most Azure environments I’ve worked in, IT rarely assigns Owner or User Access Administrator to stakeholders; instead, they’re the gatekeepers for giving out permissions to resources. This often leads to tickets being placed with IT and long wait times for new stakeholders to start consuming services in Azure, and most often the actual teams have more knowledge of who should have access to a resource than IT has.

This will most likely lead to frustration as developers will have problems fully setting up an application or service. For example, a developer creates an Azure Function with a Managed Identity that requires Storage Blob Data Contributor to a Storage Account, but they’re not able to assign any roles for that identity.

On the other hand, if given full permissions, someone inexperienced with Azure or someone who doesn’t value security may end up exposing the environment to security risks. I think we can all agree the model isn’t all there yet.

How it works today

Delegate role assignments with constraints.

With this new feature, we can instead delegate Dara the ability to assign only certain roles and principal types. For example, we can allow Dara and their team members to assign only Service principals the Key Vaults Secrets User and Storage Blob Data Contributor roles. With this in place, the team is now able to create that Azure Function with a Managed Identity and assign it the Storage Blob Data Contributor for any resource inside that subscription.

Constrains example

Getting started.

Click the images to enlarge them

To get started follow the below steps.

At your desired scope, go to the IAM blade and select Add to create a new role assignment.

Select the Privileged administrator roles tab and find the Role Based Access Control Administrator role.

Add the desired User or Group that should be able to delegate roles at the scope.

Select Add condition to define the conditions.

The portal will present three templates that can be used, and in this example I’m using the middle one. It will allow me to target what roles users in the Az_Analytics_Users group can assign, and to what identity types. Opening the advanced condition editor will present the full configuration experience that allows for finer tuning. For example, users can create role assignments, but not delete them.

I want them to be able to assign Key Vaults Secrets User and Storage Blob Data Contributor to Service principals .

Hit save and the configuration will be presented before assignment is made.

That’s it! Users in the group Az_Analytics_Users are now able to assign the roles specified in the expression to Service principals. If they try to assign any other roles they’ll be denied.

We can also configure everything using PowerShell.

Another example

Here I’m using the advanced condition editor. Users are able to assign all roles except Owner and User Access Administrator for all principal types; users, group, and service principals. This is done by negating the expression by ticking the checkbox when configuring what roles can be assigned.

An imporant thing to note here is that when a user assigns a role to another user not already present in the tenant, a guest invitation will be sent out, unless guest invitation is restricted.

Final thoughts

I must say that I find this feature highly appealing, and I firmly believe that it will bring significant benefits to both IT administrators and developers alike. Previously, granting Owner or User Access Administrator permissions often entailed a considerable amount of responsibility for Azure stakeholders, akin to providing them with unrestricted access. However, with this new feature, we can now delegate some of the RBAC assignments to stakeholders, which will ultimately result in reduced wait times and minimize unwarranted frustration.

What is this Private Endpoint, and where can I buy one? (Part 1)

That’s a good question and something I’m going to try and answer in my first blog series. If you’re like me you’ve probably browsed the Azure Security Center recommendations to get a better underst...

What is this Private Endpoint, and where can I buy one? (Part 2)

In part 1 I gave an introduction on how to set up Private Endpoint and DNS and mentioned that the privatelink DNS zones should be handled centrally by your IT or Azure team. In this post I’ll expan...

Why App Service Environment v3 is Awesome!

A new version of content is available.

Role Assignment using Azure Portal

Return to AZ-104 Tutorial

Before you learn to add or remove Azure role assignments using the Azure portal, it is very important to understand Azure Role-Based Access Control (RBAC). We may define Azure role-based access control (RBAC) is an authorization system that can be used to manage access to Azure resources. Now in order to grant access, you are required to assign roles to users, groups, service principals, or managed identities at a particular scope.

Prerequisites of Assigning Roles :

In order to add or remove role assignments, we are required are –

Microsoft.Authorization/roleAssignments/write
Microsoft.Authorization/roleAssignments/delete permissions (From User Access Administrator or Owner)

Access control (IAM)

IAM (Identity and Access Management) is a specified page for assigning roles and granting access to Azure resources. In the Azure portal, Access Control is also known as identity and access management.

Steps to Add a Role Assignment

In Azure role-based access control (RBAC), in order to grant access to an Azure resource, you must add a role assignment. We shall now discuss the steps to add a role assignment.

First Step – In the Azure portal, we will click on All services and then select the scope that we want to grant access to namely, Management groups, Subscriptions, Resource groups, or a resource.
Second Step – We should then Click the specific resource for that scope.
Third Step – Now Click Access control (IAM).
Fourth Step – In this step we will click the Role assignments tab to view the role assignments at this scope.
Fifth Step – Now Click Add > Add role assignment. But in case you do not have permissions to assign roles, the Add role assignment option will be disabled.
Sixth Step – In the Role drop-down list, select a role such as Virtual Machine Contributor.
Seventh Step – In this step we will select a user, group, service principal, or managed identity. Then in the Select list, in case, we do not find the security principal in the list, next we can type in the Select box to search the directory for display names, email addresses, and object identifiers.
Eighth Step – Click Save to assign the role. After a few moments, the security principal is assigned the role at the selected scope.

Steps to Add a role assignment for a managed identity

In this topic, we will describe an alternate way to add role assignments for a managed identity. Thereby, using these steps, you start with the managed identity and then select the scope and role.

Firstly, in the Azure portal, open a system-assigned managed identity.
Then, in the left menu, click Identity.
Next, under Permissions, click Azure role assignments. If roles are already assigned to the selected system-assigned managed identity, you see the list of role assignments. This list includes all role assignments you have permission to read.
Now, to change the subscription, click the Subscription list.
Then click Add role assignment (Preview).
In this step, use the drop-down lists to select the set of resources that the role assignment applies to such as Subscription, Resource Group, or resource. But in case you do not have role assignment write permissions for the selected scope, then an inline message will be displayed.
Select a role such as Virtual Machine Contributor, in the Role drop-down list.
Lastly, Click Save to assign the role.

Steps to Remove a Role Assignment

In order to remove access from an Azure resource, in Azure RBAC we must remove a role assignment.

The first step we will first Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.
In the second step, click the Role assignments tab to view all the role assignments for this subscription.
Next in the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.
Now Click Remove.
Lastly, in the remove role assignment message that appears, click Yes.

Note – Any message displaying that inherited role assignments cannot be removed, indicates that you are trying to remove a role assignment at a child scope. In this case, you must open Access control (IAM) at the scope where the role was assigned and then try again.

Reference: Microsoft Documentation

Prepare for Assured Success

Assign Azure roles dynamically through Azure DevOps

Prerequisites, preparing the environment, creating re-usable templates, template within templates, extending templates, adding required template.

You’ve probably came to this question many times, what are the three fundamental principles that need to adhere to strict compliancy frameworks? Yes, you’ve probably already guessed it. Security, traceability and audibility. Azure DevOps services comes with these principles in mind, but how can you make it visible that Azure roles are assigned against your Azure environment?

In this blog post, you will be going into a deep dive on setting up an Azure pipeline that adheres to these fundamental principles. You will build templates so you can re-use them for your teams, and later you can secure them by placing a Approval check to use those templates for assignments in Azure.

There is a lot that is going to be covered, so this blog will be in series.

Before you start with this in depth blog post, there are some pre-requisites needed if you want to follow this tutorial:

A Azure DevOps account
A code editor like Visual Studio (VSCode)
The Az Powershell module
The VSTeam Powershell module
An Azure Subscription to play in

Assuming that your quite familiar with having multiple environments, like test, quality assurance and production, this will be the starting point. To prepare your environment, you can run the below script which will create three resource groups, service principals, and service connections.

Open Windows Powershell
Change the values pattoken , subscriptionId , projectName and azdoAccount with your respective environment

When you create the Personal Access Token, make sure that it can manage the Service Connections

Run the above script when the values have been propagated

You will see later in this tutorial how this all fits into it’s place. For now, have a quick look which resources have been created.

In this section, you’ll be going to setup the templates that can be used amongst pipelines that will be created by you or your team members. Inside these templates, the role assignment will be configured, you’ll primarily focus on the New-AzRoleAssignment cmdlet, and Remove-AzRoleAssignment cmdlet. Let’s get started by creating the structure. Assuming that you already have a repository checked out, in this tutorial it is called Templates .

In your favorite editor, create the following folder structure
Inside the task folder, create a file called azure-rbac-powershell-task.yml
In the task YAML file, copy the following content which is an Azure Powershell script to assign roles based on the parameters that you later going to define. You see that the AzureSubscription and Scope are dynamically build up based on the environment that is going to be passed
Inside the job folder, create a file called azure-rbac-powershell-job.yml
In the job YAML file, copy the following content to reference the task
Now you also need a stage, so inside the stage folder, create a file called azure-rbac-powershell-stage.yml and copy the following content in

Oef, that was suddenly a lot of code, so let’s summaries what is going on here.

azure-rbac-powershell-task.yml : has 6 parameters to execute a Azure Powershell script that uses 3 values, the objectId , roleDefinitionName and the scope

environementName: you can fill in the environment that was populated during the preparation of the environment, like test, qa or prod
roleAssigner: parameter to check wether you want to create a new role assignment or remove
roleDefinitionName: the role that you can give to the Object ID, Contributor as example
azureSubscription: the service connection to target to without the environment, during the creation of the environment, the prefix would be rg-data
azure-rbac-powershell-job.yml : has the same parameters as the tasked, and specifies the jobs to make up the stage. It targets the azure-rbac-powershell-task.yml as template for re-usability purpose
azure-rbac-powershell-stage.yml : the same as the job template, and is the collection of jobs, in this case it targets the azure-rbac-powershell-job.yml

Now there is one more thing to do in the templates, and that is adding a template stage which wraps all the environments and configuration in one. It nearly looks like you are doing some Inception here…

Still in your code editor, add one more fill under the stage folder called azure-rbac-powershell-template-stage.yml
Inside this file, add the following content

You can see that the parameters are now different that needs to be given.

environments: here you can specify which environments you want to target
taskConfiguration: any YAML structure can be specified, and is passed a long in a for each loop to the azure-rbac-powershell-stage.yml

You have now successfully created the required templates! Let’s see it in action. Before moving to the next section, make sure that you commit all the code to your repository, in this example it will be the Azure Repos.

As already stated in the introduction, security is quite important in companies that have to follow strict compliancy rules. Using the extends syntax in YAML, gives us the ability to securely enforcing that a pipeline extends from a particular template. You are already probably getting the picture a bit with all the hard work you did in previous sections. In this section, you are going to setup the extends from the template in the templates repository.

Create a new repository in your Version Control System, in this example it will be Azure Repos and is called az-role-assigner
Create the folder cicd which will store the azure-pipelines.yml file
Now create a resources that targets the templates repository as identifier
Add the extends that references the azure-rbac-powershell-template-stage.yml template
Under the template, add the following parameter to start targeting the test environment
Go to the Azure Portal to find the objectId, scope and definition that you want to target. In this example, a fake user was added to Azure Active Directory and given the Contributor permissions. Make sure that the objectId and subscriptionId is filled in with your values
Run the pipeline and see the results
Go to the Azure Portal and see the results on the rg-data-test Resource Group

That was awesome! With just a few simple lines, you are re-using the templates, and dynamically building up the stage. If you want, you can also add an additional line in the environments parameter to target qa!

But how can you make sure that the pipelines adhere now to these templates? Let’s move by adding a Required template as check.

In your Azure DevOps project, go to Project settings
Go to Service connections
Find your Service connections that were populated when you prepared for the environment and select azdo-sp-test
Click on one of the Service connections and click the three dots on the right and select Approvals and checks
Click See all and select Required template
Click the plus symbol and add the following values depending on your project
Save the results
Back on your pipeline, try out a run, which will fail

Cool, you at least know that the check is working accordingly, but why is this the case? When adding the resources , a name was specified that does not match the one that was specified in the Required template . So let’s update the name and see if it works.

Open the azure-pipelines.yml and instead of name: templates, update it with <projectname>/templates , in this case the project is sandbox
Run the pipeline once more, and it should succeed now

The basis is now setup, and you can adjust the values inside the pipeline to target different objects, scopes and definitions.

It was some advanced stuff you went through, but if you managed this far, you have successfully created templates in your repository that can be shared amongst yourself and team members. You can now dynamically assign Azure role assignments through a pipeline which is secured by using templates.

In the next part, we’ll be covering how you can add dynamic cmdlets to run through the pipeline, as we’ve focussed now mainly on the New-AzRoleAssignment and Remove-AzRoleAssignment cmdlet with only three parameters. Even that both cmdlets have more parameters, there are also a lot more cmdlets that can set certain access, say for example the Set-AzKeyVaultAccessPolicy cmdlet. We also haven’t fully covered the traceability through Azure DevOps, so stay tuned for next part!

While the resources that where created during this tutorial don’t cost money depending if you’ve added additional resources to it, it is always good to cleanup after a tutorial. You can run the below script to remove all the resources.

Published Apr 1, 2022

Azure DevOps

Writing about Azure DevOps, Powershell and Automation The Lonely Engineer on Twitter

Automated Azure Role Assignment Reports via Email - Azure Automation

Managing azure role assignments can be complex. this powershell script simplifies the process by generating detailed reports on azure users, groups, and roles and automatically emailing these reports..

Posted by : blakedrumm on Apr 23, 2024

Introduction

Azure cloud services management often requires monitoring and auditing user roles and group memberships. This script automates the generation and email distribution of detailed Azure subscription role assignments. It utilizes managed identity for Azure login, fetches role assignments, and compiles them into a comprehensive report sent via email.

How to get it

You can download the script from the following links:

Argument List

Configuring permissions for managed identity.

To enable the PowerShell script to retrieve detailed user information, such as ObjectType and DisplayName from Azure Active Directory, the UserManagedIdentity needs the “Directory Readers” permission. This role-based access control (RBAC) is assigned at the Microsoft Entra ID level (formerly known as Azure Active Directory), not at the subscription level. Follow these steps to assign the correct permissions:

Copy the System assigned Identity Object ID

Select Azure role assignments
Select Add role assignment
Set the scope to: Subscription
Select the subscription.

Open Microsoft Entra Id -> Roles and Administrators. Azure Portal - Roles and Administrators

Click + Add Assignments to start the role assignment process.
In the assignment interface, you might not see app registrations or managed identities by default.
Paste the Object ID (from step 1) into the search field. This should display the name and ID of your Azure Automation Account.

Once the “Directory Readers” permission is assigned, the script will be able to pull the Object Type and DisplayName along with other outputs from Get-AzRoleAssignment .

This configuration is essential for the script to function correctly and securely access the necessary Azure AD data!

How to use it

In order to utilize this script in your Automation Runbook, you will need to set an encrypted variable inside of the Automation Account. This will be so we can pass the EmailPassword variable securely to the script. The script has the ability to gather this password automatically if you perform the following steps.

Go to Automation Accounts -> Select the Automation Account -> Variables .
Click + Add a variable
Name: EmailPassword
Description: This is the password for the Email Account used in SMTP for an Azure Automation Runbook .
Type: String
Value: <YourPassword>

Encrypted Variables Azure Automation Account

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.

operationsManager
troubleshooting
certificates

Ansible community forum
Documentation

Collection Index
Collections in the Azure Namespace
Azure.Azcollection
azure.azcollection.azure_rm_roleassignment module – Manage Azure Role Assignment

azure.azcollection.azure_rm_roleassignment module – Manage Azure Role Assignment 

This module is part of the azure.azcollection collection (version 1.19.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core . To check whether it is installed, run ansible-galaxy collection list .

To install it, use: ansible-galaxy collection install azure.azcollection . You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: azure.azcollection.azure_rm_roleassignment .

New in azure.azcollection 0.1.2

Create and delete instance of Azure Role Assignment.

Requirements 

The below requirements are needed on the host that executes this module.

python >= 2.7

The host that executes this module must have the azure.azcollection collection installed via galaxy

All python packages listed in collection’s requirements-azure.txt must be installed via pip on the host that executes modules from azure.azcollection

Full installation instructions may be found https://galaxy.ansible.com/azure/azcollection

Parameters 

For authentication with Azure you can pass parameters, set environment variables, use a profile stored in ~/.azure/credentials, or log in before you run your tasks or playbook with az login .

Authentication is also possible using a service principal or Active Directory user.

To authenticate via service principal, pass subscription_id, client_id, secret and tenant or set environment variables AZURE_SUBSCRIPTION_ID, AZURE_CLIENT_ID, AZURE_SECRET and AZURE_TENANT.

To authenticate via Active Directory user, pass ad_user and password, or set AZURE_AD_USER and AZURE_PASSWORD in the environment.

Alternatively, credentials can be stored in ~/.azure/credentials. This is an ini file containing a [default] section and the following keys: subscription_id, client_id, secret and tenant or subscription_id, ad_user and password. It is also possible to add additional profiles. Specify the profile by passing profile or setting AZURE_PROFILE in the environment.

How to authenticate using the az login command.

Return Values 

Common return values are documented here , the following are the fields unique to this module:

Yunge Zhu(@yungezz)

Paul Aiton(@paultaiton)

Collection links 

Issue Tracker
Repository (Sources)

Instantly share code, notes, and snippets.

blakedrumm / Get-AzRoleAssignmentReport.ps1

Download ZIP
Star 0 You must be signed in to star a gist
Fork 0 You must be signed in to fork a gist
Embed Embed this gist in your website.
Share Copy sharable link for this gist.
Clone via HTTPS Clone using the web URL.
Learn more about clone URLs
Save blakedrumm/8f73e82f78b675bea2968117b70fd83e to your computer and use it in GitHub Desktop.

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Assign Azure roles using Azure PowerShell

11 contributors

Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using Azure PowerShell.

We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az .

Prerequisites

To assign roles, you must have:

Microsoft.Authorization/roleAssignments/write permissions, such as Role Based Access Control Administrator
PowerShell in Azure Cloud Shell or Azure PowerShell
The account you use to run the PowerShell command must have the Microsoft Graph Directory.Read.All permission.

Steps to assign an Azure role

To assign a role consists of three elements: security principal, role definition, and scope.

Step 1: Determine who needs access

You can assign a role to a user, group, service principal, or managed identity. To assign a role, you might need to specify the unique ID of the object. The ID has the format: 11111111-1111-1111-1111-111111111111 . You can get the ID using the Azure portal or Azure PowerShell.

For a Microsoft Entra user, get the user principal name, such as [email protected] or the user object ID. To get the object ID, you can use Get-AzADUser .

For a Microsoft Entra group, you need the group object ID. To get the object ID, you can use Get-AzADGroup .

Service principal

For a Microsoft Entra service principal (identity used by an application), you need the service principal object ID. To get the object ID, you can use Get-AzADServicePrincipal . For a service principal, use the object ID and not the application ID.

Managed identity

For a system-assigned or a user-assigned managed identity, you need the object ID. To get the object ID, you can use Get-AzADServicePrincipal .

Step 2: Select the appropriate role

Permissions are grouped together into roles. You can select from a list of several Azure built-in roles or you can use your own custom roles. It's a best practice to grant access with the least privilege that is needed, so avoid assigning a broader role.

To list roles and get the unique role ID, you can use Get-AzRoleDefinition .

Here's how to list the details of a particular role.

For more information, see List Azure role definitions .

Step 3: Identify the needed scope

Azure provides four levels of scope: resource, resource group , subscription, and management group . It's a best practice to grant access with the least privilege that is needed, so avoid assigning a role at a broader scope. For more information about scope, see Understand scope .

Resource scope

For resource scope, you need the resource ID for the resource. You can find the resource ID by looking at the properties of the resource in the Azure portal. A resource ID has the following format.

Resource group scope

For resource group scope, you need the name of the resource group. You can find the name on the Resource groups page in the Azure portal or you can use Get-AzResourceGroup .

Subscription scope

For subscription scope, you need the subscription ID. You can find the ID on the Subscriptions page in the Azure portal or you can use Get-AzSubscription .

Management group scope

For management group scope, you need the management group name. You can find the name on the Management groups page in the Azure portal or you can use Get-AzManagementGroup .

Step 4: Assign role

To assign a role, use the New-AzRoleAssignment command. Depending on the scope, the command typically has one of the following formats.

Assign role examples

Assign a role for all blob containers in a storage account resource scope.

Assigns the Storage Blob Data Contributor role to a service principal with object ID 55555555-5555-5555-5555-555555555555 and Application ID 66666666-6666-6666-6666-666666666666 at a resource scope for a storage account named storage12345 .

Assign a role for a specific blob container resource scope

Assign a role for a group in a specific virtual network resource scope

Assigns the Virtual Machine Contributor role to the Pharma Sales Admins group with ID aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa at a resource scope for a virtual network named pharma-sales-project-network .

Assign a role for a user at a resource group scope

Assigns the Virtual Machine Contributor role to [email protected] user at the pharma-sales resource group scope.

Alternately, you can specify the fully qualified resource group with the -Scope parameter:

Assign a role for a user using the unique role ID at a resource group scope

There are a couple of times when a role name might change, for example:

You are using your own custom role and you decide to change the name.
You are using a preview role that has (Preview) in the name. When the role is released, the role is renamed.

Even if a role is renamed, the role ID does not change. If you are using scripts or automation to create your role assignments, it's a best practice to use the unique role ID instead of the role name. Therefore, if a role is renamed, your scripts are more likely to work.

The following example assigns the Virtual Machine Contributor role to the [email protected] user at the pharma-sales resource group scope.

Assign a role for an application at a resource group scope

Assigns the Virtual Machine Contributor role to an application with service principal object ID 77777777-7777-7777-7777-777777777777 at the pharma-sales resource group scope.

Assign a role for a user at a subscription scope

Assigns the Reader role to the [email protected] user at a subscription scope.

Assign a role for a user at a management group scope

Assigns the Billing Reader role to the [email protected] user at a management group scope.

List Azure role assignments using Azure PowerShell
Tutorial: Grant a group access to Azure resources using Azure PowerShell
Manage resources with Azure PowerShell

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

Cubs To Place Cody Bellinger On IL With Fractured Rib, Recall Pete Crow-Armstrong
Giants Place Blake Snell On Injured List Due To Adductor Strain
Cardinals Option Jordan Walker
Triston Casas Facing Notable Absence Due To Rib Fracture
Report: Cubs To Designate Garrett Cooper For Assignment
Orioles Promote Heston Kjerstad
Hoops Rumors
Pro Football Rumors
Pro Hockey Rumors

MLB Trade Rumors

Blue Jays Promote Addison Barger For Major League Debut

By Darragh McDonald | April 24, 2024 at 3:35pm CDT

The Blue Jays announced that outfielder Kevin Kiermaier has been placed on the 10-day injured list with left hip flexor inflammation. Infielder/outfielder Addison Barger was recalled in a corresponding move and will be making his major league debut as soon as he gets into a game. Johnny Giunta of the Gate 14 Podcast reported Barger’s promotion prior to the official announcement.

Kiermaier was removed from last night’s game with flexor discomfort in his left hip. He underwent surgery on that hip in July of 2022 while with the Rays, spending the rest of that season on the injured list.

He managed to bounce back from that procedure and stay largely healthy with the Jays in 2023. He got into 129 games last year, just the third time in his career that he hit that tally and only the second since 2015. That led him and the Jays to reconnect on yet another one-year deal, though his 2024 season has been rough so far. He’s hit .193/.246/.246 through 62 plate appearances and will now land on the shelf to rehab this injury. It’s unclear how long the Jays expect him to be out of action.

Thankfully for the Jays, they have another excellent defensive center fielder who can step in. Like Kiermaier, Daulton Varsho is known for his strong glovework out on the grass/turf but he’s been in good form with the bat this year. He’s hit six home runs in his last 11 games and is slashing .250/.325/.569 on the year overall. He’s spent more time in left field with Kiermaier in center but will now slide over and take the bulk of the playing time up the middle.

The injury will open up room for Barger to make his major league debut. Now 24, he was a sixth-round selection of the Jays back in 2018 but launched himself onto the prospect map in 2022. That year, he went from High-A to Double-A to Triple-A, hitting 26 home runs and slashing .308/.378/.555. After that season, the Jays added him to their 40-man roster to keep him out of the Rule 5 draft and Baseball America ranked him the #4 prospect in the club’s system.

2023 was a bit of a setback, with Barger missing time due to an elbow injury. He only got into 88 Triple-A games and hit a diminished .250/.353/.403 in that time. He seems to be healthy and back on track here in 2024, as he’s currently slashing .314/.435/.586 for the year. He has three home runs and is walking almost as much as he’s striking out, a 16.5% rate of free passes compared to a 17.6% rate of punchouts.

Barger has played all around the infield but has also seen increasing time in right field over the past two seasons, a natural fit for him since he’s considered to have an excellent throwing arm. With Varsho in center, perhaps George Springer moves from right to left on occasion, or Barger simply helps out in left field. If players like Davis Schneider , Cavan Biggio , Ernie Clement or Isiah Kiner-Falefa spend more time in the outfield, Barger can factor into the infield mix instead.

The left-handed bat of Barger will also be a good fit for a fairly righty-heavy lineup. With Kiermaier on the IL, the primary lefties for the Jays are just Varsho and Biggio. Daniel Vogelbach is also on the roster but has been in a fairly narrow role due to his limited defensive value. With Justin Turner the primary designated hitter, Vogelbach has made just three starts as the DH this year, in addition to a few pinch-hitting appearances.

20 Comments

19 hours ago

Congrats Barger, time to take advantage of this opportunity. Hopefully he allows the jays to move on from Kiermaier at the deadline

Incoming slash line: 0.220 / 0.306 / 0.370

15 hours ago

With the offense so far this year that’s probably a 100 wRC+

Barger is worth a callup, he is a good prospect but I don’t think he will stick the first time around.

I am waiting for Martinez to be called up. He is the one that belongs in the bigs and will stick.

14 hours ago

Does not matter who Jays bring up from the minors , the team that Shapiro and Atkins put together in the major leagues is not going to compete , Vladdy looks like he is not going to be the super star he is suppose to be , he is just an average player or even worse , he looks completely lost at the plate and so does Bo , and Kirk (another mistake in keeping this guy instead of younger catcher they traded to Arizona ).Springer getting long in the tooth and is no longer a lead off batter and the rest of the team is a bunch of minor league players management is trying to promote as major leaguers. Without this pitching staff these guys would have as many wins as the White Sox.

2 hours ago

That trade was definitely worth. Lourdes is not as good as people think he is.

27 seconds ago

The trade was a Jays loss. Two things can be true; Varsho is playing well, Jays clearly lost the trade. Moreno is miles better than Kirk. Gurriel is closer to Varsho than people think. Varsho wasn’t worth losing Moreno for.

18 hours ago

Vogelfat needs to be released.

16 hours ago

Could’ve been Orelvis if the Jays were willing to play Cavan/Schneider in LF. But Addison has played well enough to deserve a callup, and has played some OF. Hope he performs so well it forces the Jays to make a tough decision when KK returns.

This also gives Varsho a chance to play CF and show whether or not the Jays made the right decision bringing back Kiermaier. Jays need hitting. For the horrible Vlad play last night, Jays still could have won the game if they could hit.

53 mins ago

Orelvis has not been good defensively. And offensively, the power is carrying him but he has a 34.9% whiff rate. It’s hard to project a lot of MLB success with that. Barger’s success has been with better plate discipline and contact and he still has a lot of power too. .352 xwOBA vs. Orelvis’ .190. Barger is the right guy at the moment.

After two innings, it looks like the kid has never been in the outfield in his life. Terrible choice to throw him out there given all the other choices on the roster.

Agree. What is the management thinking. Super thin OF so throw in an infielder out there and hope he catches on?

13 hours ago

Barber-minor leaguer Schneider- “ Clement- “ Biggio.- “ Vogelback. “ Kirk. – useless Vladdy – not superstar (average player Can not adjust to pitchers) Springer -long in tooth Kiermaier- long in tooth Shapiro -useless Atkins – useless puppet

How do you guys expect Blue Jays to be competitive

12 hours ago

Jays fan here the craziest thing is almost the whole starting line-up, pitching staff and most of the bench will be a FA by next off season. I believe they should trade everybody this deadline to really kick start a rebuild but that wont happen with the money spent on the team and stadiums the past 2 years. The team will really hit the ground HARD THE 26 season. Bo should be re signed but that wont happen and vladdy isnt worth 300/10 especially as a 1b/dh

in what world is Vlad “average” yes he’s slumping right now but don’t let that fool you…he’s a well above average player.

Ok he has an excuse he has never played that outfield position, in the minors his position is mainly and infielder. What’s Vladdy’s excuse , Bo excuse, Kirk’s excuse ,managements excuse , Rogers excuse in keep those two twits Atkins and Shapiro

8 hours ago

To answer your question in the first comment, starting pitching. So far the Jays are smoke and mirrors. Despite the last two nights of errors, Jays lost because they did not hit. That’s on Atkins and his front office.

I had to double check if Barger had played LF in Buffalo as I watched a game he played RF. He hasn’t. Why was he called up instead of Orelvis? Jays could have put Biggio/Schneider/IKF in LF and played Martinez at 2B. That is also on Atkins and his staff.

11 hours ago

Where is Votto? What is Vladdy swinging at?Apposing pitchers know or should know that low and a foot outside will do the trick. Bo is not even close to the same hitter this year. I’m not sure what the hitting coaches are doing to the Jays but it is clearly not working IMHO. It’s still early but I honestly don’t see the boys turning things around. I’ve never seen a whole team hit this poorly but for Turner and Varsho lately, in all my years of watching the Jays. I can understand a few guys in a slump but almost the whole team?! Very very bizarre.

Beautiful MLB Ballpark for a AAA calibre team. Shapiro and Atkins duo have slowly dismantled this franchise and are eventually going to destroy the fan base of Canada’s baseball team.

Rogers is complicit. They’ll look to stop the idea of a rebuild to pay for their renovations. After 24 years they should be taking blame for the Jays failures by now.