Objectives
In this lab, you will:
- Task 1: Implement Management Groups
- Task 2: Create custom RBAC roles
- Task 3: Assign RBAC roles
Task 1: Implement Management Groups
In this task, you will create and configure management groups.
Sign in to the https://portal.azure.com.
Search for and select Management groups to navigate to the Management groups blade.
Review the messages at the top of the Management groups blade. If you are seeing the message stating You are registered as a directory admin but do not have the necessary permissions to access the root management group, perfom the following sequence of steps:
In the Azure portal, search for and select Azure Active Directory.
On the blade displaying properties of your Azure Active Directory tenant, in the vertical menu on the left side, in the Manage section, select Properties.
On the Properties blade of your your Azure Active Directory tenant, in the Access management for Azure resources section, select Yes and then select Save.
Navigate back to the Management groups blade, and select Refresh.
On the Management groups blade, click + Add.
If you have not previously created Management Groups, select Start using management groups
Create a management group with the following settings:
Setting Value Management group ID az104-02-mg1 Management group display name az104-02-mg1 In the list of management groups, click the entry representing the newly created management group.
On the az104-02-mg1 blade, click Subscriptions.
On the az104-02-mg1 | Subscriptions blade, click + Add, on the Add subscription blade, in the Subscription drop-down list, seletc the subscription you are using in this lab and click Save.
On the az104-02-mg1 | Subscriptions blade, copy the ID of your Azure subscription into Clipboard. You will need it in the next task.
Task 2: Create custom RBAC roles
In this task, you will create a definition of a custom RBAC role.
From the lab computer, open the file \Allfiles\Labs\02\az104-02a-customRoleDefinition.json in Notepad and review its content:
json{ "Name": "Support Request Contributor (Custom)", "IsCustom": true, "Description": "Allows to create support requests", "Actions": [ "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" ], "NotActions": [ ], "AssignableScopes": [ "/providers/Microsoft.Management/managementGroups/az104-02-mg1", "/subscriptions/SUBSCRIPTION_ID" ] }Replace the
SUBSCRIPTION_IDplaceholder in the JSON file with the subscription ID you copied into Clipboard and save the change.In the Azure portal, open Cloud Shell pane by clicking on the toolbar icon directly to the right of the search textbox.
If prompted to select either Bash or PowerShell, select PowerShell.
If this is the first time you are starting Cloud Shell and you are presented with the You have no storage mounted message, select the subscription you are using in this lab, and click Create storage.
In the toolbar of the Cloud Shell pane, click the Upload/Download files icon, in the drop-down menu click Upload, and upload the file \Allfiles\Labs\02\az104-02a-customRoleDefinition.json into the Cloud Shell home directory.
From the Cloud Shell pane, run the following to create the custom role definition:
powershellNew-AzRoleDefinition -InputFile $HOME/az104-02a-customRoleDefinition.jsonClose the Cloud Shell pane.
Task 3: Assign RBAC roles
In this task, you will create an Azure Active Directory user, assign the RBAC role you created in the previous task to that user, and verify that the user can perform the task specified in the RBAC role definition.
In the Azure portal, search for and select Azure Active Directory, on the Azure Active Directory blade, click Users, and then click + New user.
Create a new user with the following settings (leave others with their defaults):
Setting Value User name az104-02-aaduser1 Name az104-02-aaduser1 Let me create the password enabled Initial password Pa55w.rd1234 Copy to clipboard the full User name. You will need it later in this lab.
In the Azure portal, navigate back to the az104-02-mg1 management group and display its details.
Click Access control (IAM), click + Add followed by Role assignment, and assign the Support Request Contributor (Custom) role to the newly created user account.
Open an InPrivate browser window and sign in to the https://portal.azure.com using the newly created user account. When prompted to update the password, change the password for the user.
Rather than typing the user name, you can paste the content of Clipboard.
In the InPrivate browser window, in the Azure portal, search and select Resource groups to verify that the az104-02-aaduser1 user can see all resource groups.
In the InPrivate browser window, in the Azure portal, search and select All resources to verify that the az104-02-aaduser1 user cannot see any resources.
In the InPrivate browser window, in the Azure portal, search and select Help + support and then click + New support request.
In the InPrivate browser window, on the Basic tab of the Help + support - New support request blade, type Service and subscription limits in the Summary field and select the Service and subscription limits (quotas) issue type. Note that the subscription you are using in this lab is listed in the Subscription drop-down list.
The presence of the subscription you are using in this lab in the Subscription drop-down list indicates that the account you are using has the permissions required to create the subscription-specific support request.
If you do not see the Service and subscription limits (quotas) option, sign out from the Azure portal and sign in back.
Do not continue with creating the support request. Instead, sign out as the az104-02-aaduser1 user from the Azure portal and close the InPrivate browser window.
Clean up resources
Remember to remove any newly created Azure resources that you no longer use.
Removing unused resources ensures you will not see unexpected charges, although, resources created in this lab do not incur extra cost.
In the Azure portal, search for and select Azure Active Directory, on the Azure Active Directory blade, click Users.
On the Users - All users blade, click az104-02-aaduser1.
On the az104-02-aaduser1 - Profile blade, copy the value of Object ID attribute.
In the Azure portal, start a PowerShell session within the Cloud Shell.
From the Cloud Shell pane, run the following to remove the assignment of the custom role definition (replace the
[object_ID]placeholder with the value of the object ID attribute of the az104-02-aaduser1 Azure Active Directory user account you copied earlier in this task):powershell$scope = (Get-AzRoleAssignment -RoleDefinitionName 'Support Request Contributor (Custom)').Scope Remove-AzRoleAssignment -ObjectId '[object_ID]' -RoleDefinitionName 'Support Request Contributor (Custom)' -Scope $scopeFrom the Cloud Shell pane, run the following to remove the custom role definition:
powershellRemove-AzRoleDefinition -Name 'Support Request Contributor (Custom)' -ForceIn the Azure portal, navigate back to the Users - All users blade of the Azure Active Directory, and delete the az104-02-aaduser1 user account.
In the Azure portal, navigate back to the Management groups blade.
On the Management groups blade, select the ellipsis icon next to your subscription under the az104-02-mg1 management group and select Move to move the subscription to the Tenant Root management group.
[!note] It is likely that the target management group is the Tenant Root management group, unless you created a custom management group hierarchy before running this lab.
Select Refresh to verify that the subscription has successfully moved to the Tenant Root management group.
Navigate back to the Management groups blade, right click the ellipsis icon to the right of the az104-02-mg1 management group and click Delete.
Subscribe by Email
Follow Updates Articles from This Blog via Email
No Comments