RBAC with Azure

October 14, 2015 at 1:52 pm in Azure, Microsoft by Florent

Monday, Microsoft released an article with the possibility to perform RBAC on Azure : http://blogs.technet.com/b/ad/archive/2015/10/12/azure-rbac-is-ga.aspx

RBAC will help you to give the good rights to the good people that are using Azure.

In this article, I will explain to you, based on this article, how to implement RBAC in Azure to deploy a new Virtual Machine.

Login to the new Azure Portal ( https://portal.azure.com ) and create 2 new Resource Group. One to store Virtual Machines, Storage, etc., and the other to store the network (it’s a new configuration):

imageimage

We will now assign the right permissions to the Resource Group. On the group SCUGBE_RG_Store, assign to a group/user the role “Virtual Machine Contributor” to create virtual machines and the role “Storage Account Contributor” to give the possibility to create storage account:

image
image
image

Do the same for the Resource Group that will contain the network and give the Reader role:

image

In the Resource Group for the Network, we will create a new virtual network. Click on New > Networking > Virtual Network and select Resource Manager in the Select a deployment model section:

image

Choose a name, a range, and select the Resource Group created previously:

image

This part is optional if don’t want to allow the connection from outside.

We will create a Network Security Group to open the port 3389 for this network to allow the RDP connection. Execute the following PS script to do this:

Switch-AzureMode AzureResourceManager
$rule1 = New-AzureNetworkSecurityRuleConfig -Name rdp-rule -Description “Allow RDP” -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389
New-AzureNetworkSecurityGroup -ResourceGroupName SCUGBE_RG_Networks -Location “West Europe” -Name “SCUGBE-NSG” -SecurityRules $rule1

image

When it’s done, you need to assign to the user/group the “Virtual Machine Contributor” role to allow the register of the network card on it:

image

We will now add a subnet dedicated for a specific person and associate it to the previously created NSG:

image

This part is optional if don’t want to allow the connection from outside.

We will assign an IP address to the Network Resource Group to give the possibility to the user to connect remotely:

Switch-AzureMode AzureResourceManager
New-AzurePublicIpAddress -Name “SCUGBE-IPPublic” -ResourceGroupName SCUGBE_RG_Networks -Location “West Europe” -AllocationMethod Dynamic -DomainNameLabel “scugbe-rbac”

image

You need to assign to the user/group the “Virtual Machine Contributor” role to allow the register of the IP address to the VM:

imageimage

Before trying the deployment, we must assign the permission to a user to get an IP address to the right subnet. This step is only available through PowerShell:

Switch-AzureMode AzureResourceManager
Get-AzureRoleAssignment | FT DisplayName, Type, ObjectId

Get the ObjectId column:

image

Execute the script, replacing values by yours:

New-AzureRoleAssignment -ObjectId 2a83b08f-f189-4697-97e6-3fd5bcb433a3 -RoleDefinitionName “Virtual Machine Contributor” -ResourceName “SCUGBE_VNet_VMs” -ResourceType Microsoft.Network/virtualNetworks/subnets -ParentResource virtualNetworks/SCUGBE_VNet -ResourceGroupName SCUGBE_RG_Networks

image

It’s time to try the deployment of a new virtual machine, with the user assigned before. I have my 2 resource groups:

image

Deploy a new virtual machine and choose Resource Manager:

imageimageimageimage

The VM is deploying:

imageimage

image

When the VM is deployed, you can connect to it via RDP in my case:

image

And you can see objects where you have the access:

image

If I try to deploy another VM on a subnet where the access is forbiden, I will have the following error:

imageimage

image

For your information, in next release of Azure, you will be able to create your own roles.

If you have any questions, don’t hesitate to contact me Sourire