A Guide On How To Assign A Contributor Role to a User in Microsoft Azure

The roles that Azure assigns to Users are at different levels, they range from the Reader role to Virtual Machine Contributor and the ability to create custom roles for specific users. These permissions and restrictions are granted to fortify the security of your cloud environment.

I will be demonstrating the process of creating a User and assigning that person the Contributor role. It is pertinent you know some of the terms we will be studying in this blog that relates to the different levels of roles available in Azure.

Azure Active Directory Role

These are used to manage Azure Active Directory (AD) resources in a directory such as assigning administrative roles to others, creating or editing Users, managing User licenses, resetting User passwords, and managing domains.

Job Function Roles

These roles are designed specifically for providing Users with permission(s) to perform particular tasks or job functions within the Azure environment. Some common examples of Job Function Roles include Network Contributor, Reader, Virtual Machine Contributor, and Storage Account Contributor.

a) Contributor

This User has limited function in that only resources can be managed as the job role, but the User cannot assign roles to other Users.

b) Owner

This role grants full access to manage all Azure resources to the User and allow the User the ability to assign roles to other Users in Azure (Resource-based Access Control) RBAC.

c) User Access Administrator

This job role only allow the User to manage access to Azure resources only. But they do not have access to the actual resources themselves. So Access Control is their job.

Anybody that creates an Azure account, will be automatically assigned a User Access Administrator role and an owner role.

Let us now begin our task of assigning a role to a User in Azure.

As a prerequisite you need an Azure subscription. If you do not have go to https://portal.azure.com to sign up to a free account.

Sign in to your Azure portal

How To Add a New User to Your Directory

i. Search for "Azure active directory" or "Users"

ii. Once you get to the Users page, Click on "New user"

iii. You can either create a new internal User or invite an external User (internal User is somebody working in the same company as yourself while an external User is a complete outsider).

This will lead you to the invite external User page.

i. Input the external User display name and email address. It is good practice that you send an e-mail message and copy yourself which is very optional.

ii. Click on "Next: Properties>"

This takes you to the Properties page

i. On the properties page, you can input the user's identity, job information and so on.

ii. Click on "Next: Assignments>"

This moves you to the Assignments page

i. On the Assignments page, you can choose to "Add group" or add "Add role".

ii. I advise you choose ”Add Role”, because this is the intent of this entire blogpost!

iii. You will notice the listing of Directory roles in the page below, since its not a focus of this write-up click on “Review+invite.”

Once you have reviewed all your entries and check your mail has no misspellings. You are free to take the next step.

iv. Click on "Invite". This automatically sends the new User an e-mail invitation to accept.

Observe here that the Owner of the subscription User's name has appeared on this page identified by a display name, user type, e-mail address et cetera.

The onus on us here is to assign a role to our invited External User.

Assign Contributor Role to the guest User.

Remember that Koya has been invited as a User, we now intend giving a role to our guest.

i. Go to the Azure console and search for "Subscription".

ii. Click on your subscription and select, in this case “Azure subscription 1”

ii. On your subscription, click on "Access control (IAM)"

iii. On the Access Control page, Click on "Add role assignment.

iv. On the Add role Assignment page, click "Privileged administrator roles"

v. Type "Contributor" on the search bar and select it. Click on "Next".

Click Next to move to Members Page

i. Select the type of access you want to assign.

ii. At the “Assign Access” tick “User”

iii. Click on “+Select Members”.

This directs you to search for the name of the member you want to assign the contributor role.

iv. Choose your member, it will appear as shown in the red box.

v. Then click on "Select"

The member (User) you added automatically appears on the Add role assignment page.

vi. Click "Review+assign"

Notice that Azure is giving us a warning on the type of permission we are granting this User (Koya). Take note of the reason for this warning from Azure. This is because the 'Contributor" role gains access to all resources in the subscription as a Privileged Administrator role. This becomes a very dangerous move if your Guest is not trustworthy.

vii. Click the Review+assign button to assign the role.

On the Role Assignment page Click on "Role assignments" or Click "View" on the "View access to this resources" box.

Observe above that "Koya” (Guest)" has been assigned a Contributor role. So it means the Guest User as a Contributor can create any resources under the owner's subscription but cannot assign roles.

I hope you enjoyed this voyage with me? We really had a wonderful sail. Am sure you can now easily assign a job role to an external User in Microsoft Azure. Cheers.