Azure provides authentication using Azure AD for its resources. Once authenticated, it needs to be evaluated and decided when the identity should be allowed to access any resource, all resources, or just the selected resource intended for that user. This activity has traditionally been known as authorization. Authorization evaluates whether the given identity has the necessary permissions to access the resource and if it can perform the intended operation. Anybody having access to an Azure subscription should be given just enough permissions so that the job can be performed. There should not be more than the required permissions assigned to identities to ensure that the attach surface remains minimum.
Authorization is popularly also known as Role-based Access Control. RBAC in Azure refers to the assigning of permissions to identities (users/groups/applications) at a scope. The scope could be subscription, resource group, or individual resources.
RBAC helps in creation and assignment of different permissions to different identities. This helps in segregating duties within teams rather than everyone having every permission. It helps in making people responsible for their job because others might not even have access to perform it. It is to be noted that providing access as higher scope automatically ensures that the child resources inherit those permissions. For example, providing read access on a resource group ensures that all resources within it will be with read permissions for the given identity.
Azure provides three general purpose built-in roles. They are as follows:
- Owner role which has full access to all resources
- Contributor role which has access to read/write resources
- Readers role which has only read permissions on resources
There are more roles provided by Azure, but they are resource specific. Examples include network contributor and security manager.
To get all roles provided by Azure for all resources, execute the Get-AzureRmRoleDefinition command in the PowerShell console.
Each role definition has certain allowed and not allowed actions. For example, owner role has all actions permitted and none of the actions are prohibited. Prohibited actions take precedence on all actions:
PS C:Users imodi> Get-AzureRmRoleDefinition -Name "owner" Name : Owner Id : 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 IsCustom : False Description : Lets you manage everything, including access to resources. Actions : {*} NotActions : {} AssignableScopes : {/}
Each role comprises of multiple permissions. Each resource provides a list of operations. The operation supported by a resource can be obtained using the Get-AzureRmProviderOperation cmdlet. This cmdlet takes the name of the provider and resource for retrieving the operations:
Get-AzureRmProviderOperation -OperationSearchString "Microsoft.Insights/*"
This will result in the following output:
PS C:Users imodi> get-AzureRmProviderOperation -OperationSearchString "Microsoft.Insights/*" | select operation Operation --------- Microsoft.Insights/Register/Action Microsoft.Insights/AlertRules/Write Microsoft.Insights/AlertRules/Delete Microsoft.Insights/AlertRules/Read Microsoft.Insights/AlertRules/Activated/Action Microsoft.Insights/AlertRules/Resolved/Action Microsoft.Insights/AlertRules/Throttled/Action Microsoft.Insights/AlertRules/Incidents/Read Microsoft.Insights/MetricDefinitions/Read Microsoft.Insights/eventtypes/values/Read Microsoft.Insights/eventtypes/digestevents/Read Microsoft.Insights/Metrics/Read Microsoft.Insights/LogProfiles/Write Microsoft.Insights/LogProfiles/Delete Microsoft.Insights/LogProfiles/Read Microsoft.Insights/Components/Write Microsoft.Insights/Components/Delete Microsoft.Insights/Components/Read Microsoft.Insights/AutoscaleSettings/Write Microsoft.Insights/AutoscaleSettings/Delete Microsoft.Insights/AutoscaleSettings/Read Microsoft.Insights/AutoscaleSettings/Scaleup/Action Microsoft.Insights/AutoscaleSettings/Scaledown/Action Microsoft.Insights/AutoscaleSettings/providers/Microsoft.Insights/MetricDefinitions/Read Microsoft.Insights/ActivityLogAlerts/Activated/Action Microsoft.Insights/DiagnosticSettings/Write Microsoft.Insights/DiagnosticSettings/Delete Microsoft.Insights/DiagnosticSettings/Read Microsoft.Insights/LogDefinitions/Read Microsoft.Insights/Webtests/Write Microsoft.Insights/Webtests/Delete Microsoft.Insights/Webtests/Read Microsoft.Insights/ExtendedDiagnosticSettings/Write Microsoft.Insights/ExtendedDiagnosticSettings/Delete Microsoft.Insights/ExtendedDiagnosticSettings/Read