Entra ID Roles & RBAC

Picture Credit: Microsoft Learn

Entra ID Roles

In Microsoft Entra Roles, you define your users, your groups, your applications, and your service principles. These users can authenticate onto Azure and then they can access resources that are part of your Azure subscription.

For Entra ID roles, you can assign the roles to your users and these permissions are normally given to manage the various aspects of Entra ID.

Role-based Access Control (RBAC)

Picture Credit: Wallarm

Azure RBAC is a powerful feature that allows you to manage who has access to your Azure resources, what they can do with those resources, and what areas they can access. RBAC enables you to grant users the least privilege necessary, ensuring that access is managed efficiently and securely.

This is meant to authorize a user to use resources in Azure. Role-based access control can be given at the management group level, at the subscription level, at the resource group level, or at the resource level.

RBAC roles are used to manage access to Azure resources, like VMs, and storage accounts.

DEMO 1: Managing Azure Identities with Role-Based Access Control (RBAC)

Create a New User in Azure Active Directory

The first step in managing access is to create a new user in Azure Active Directory (AD).

Step 1: Navigate to the Azure portal and select Azure Active Directory.

Step 2: Click on Users, then click New User.

Step 3: Fill out the required information, such as the user name, full name, and password settings. Make sure to note the user’s login details.

Step 4: Save the user. Now, you’ve successfully created a new user in Azure AD.

Try Logging in with the New User

Next, let's log in with the new user to see their access level.

Step 1: Open a new browser or an incognito window.

Step 2: Go to the [Azure portal login page](https://portal.azure.com).

Step 3: Enter the new user’s credentials.

Step 4: Notice that the user currently has no permission to access any Azure resources since we haven't assigned any roles yet.

Create a Storage Account in Azure

To demonstrate RBAC, we'll create a storage account that the new user can access once roles are assigned.

Step 1: In the Azure portal, go to Storage Accounts and click Create.

Step 2: Fill in the required fields, including subscription, resource group, storage account name, and location.

Step 3: Click Review + Create and wait for the deployment to complete.

Step 4: The storage account is now ready for use.

Assign RBAC Roles to the New User

Now, let's assign roles to the new user to control their access to the storage account.

Step 1: Navigate to the storage account you just created.

Step 2: Click on Access Control (IAM) in the left menu.

Step 3: Click Add, then select Add role assignment.

Step 4: Choose a built-in role, such as Owner, Contributor, or Reader. Each role provides different levels of access:

Owner: Full access, including the ability to delegate access to others.

Contributor: Can create and manage resources but cannot grant access to others.

Reader: Can view resources but cannot make any changes.

Step 5: Select the new user and click Save to apply for the role.

Step 6: Log in again with the new user to verify their updated permissions.

Create a Custom Role (Optional)

For scenarios where built-in roles don’t meet your needs, you can create a custom role:

Step 1: In Access Control (IAM), click Add, then select Add Custom Role.

Step 2: Define permissions that suit specific requirements not covered by built-in roles.

Create a Group in Azure AD

To manage access for multiple users efficiently, you can create a group.

Step 1: In Azure AD, go to Groups and click New Group.

Step 2: Select Security as the group type, give it a name, and add members if needed.

Step 3: Save the group. You can now manage permissions at the group level instead of individual users.

Create a Dynamic Group (Requires Azure AD Premium P1)

Dynamic groups allow you to automatically manage membership based on specific rules.

Step 1: Go to Groups and click New Group.

Step 2: Select Security as the group type and set the Membership type to Dynamic User.

Step 3: Define a rule (e.g., users in a specific department) that will determine the group’s membership automatically.

Step 4: Save the group. Users who meet the criteria will be added to the group without manual intervention.

In this demonstration, we created a new user, assigned roles using RBAC, and set up groups to streamline access management. These tools are essential for managing permissions effectively and securely in Azure, ensuring that users have the right level of access to perform their jobs without exposing your resources to unnecessary risk.

Feel free to explore further by creating custom roles or adding more dynamic rules to groups. Thank you for joining this demo, and happy managing in Azure!