Azure RBAC Notes

Azure RBAC Notes

Azure Roles and Azure AD Roles

Azure roles are separate from the administrative roles found in Azure AD. For example, a user who is granted Global Administrator rights in Azure AD does not have permissions to create resources in Azure. They must be granted rights at a scope using a role with the ability to create resources such as the Contributor role.

Creating Custom Roles

Custom roles cannot be created through the Azure Portal, but they can be assigned after they are created using the Portal. Custom roles can be created using Azure PowerShell, the Azure CLI, and through the REST API.

Retrieve the definition of the Virtual Machine Contributor role use the following:

Get-AzRoleDefinition -Name “Virtual Machine Contributor” | ConvertTo-Json

az role definition list -n “Virtual Machine Contributor”

Custom roles are defined using JSON, or JavaScript Object Notation. A role definition includes:

  • A name represented by the attribute
  • An identifier represented by the attribute
  • A description represented by the attribute
  • A flag that denotes if the role is custom or built-in represented by the attribute, which is set to false for built-in roles, and should be set to true when authoring custom roles
  • The actions that can or cannot be performed within the Azure management plane represented by the and attributes
  • Optionally the scopes at which the role is available through the

In the case of Notaction, it is not an explicit deny rule. If a user is granted access
rights in an Action , they will have the ability to perform
the operation.

DataAction and NotdataAction  are related to a preview capability in Azure RBAC where RBAC can be extended beyond the management plane to the data plane of select Azure resources. The management plane of Azure refers to the management of Azure resources through the Azure Resource Manager APIs, while the data plane refers specifically to a security principal that can interact with the data stored in a service. For example, storage accounts have both a management plane and a data plane. When a security principal is granted access to the management plane of a storage a ccount, it can access all of the components of that storage account, including blobs, tables, files, and
queues. By extending RBAC to the data plan, it is possible to create custom roles in Azure that grant access to only blob containers, and not the other capabilities of
the storage account.

Get-AzProviderOperation * | ? { $_.IsDataAction – eq $true }

To create and remove role assignments, you must have Microsoft.Authorization/RoleAssignments/*
permission at the necessary scope. This permission is granted through the Owner or User Access Administrator built-in roles, or it can be included in custom roles.   

The most privileged access right takes precedence.

There is no way to revoke access rights at a child scope through the application of a more restrictive role assignment, because the role assignment is inherited from the
parent. It is, however, possible to apply a deny assignment at a scope when using Azure
Blueprints and resource locks.
Deny assignments are evaluated before role assignments and can be used to exclude service principals from accessing child scopes.

Get-AzRoleDefinition | Where-Object { $_.IsCustom -eq $true }
Get-AzRoleDefinition -Name “Virtual Machine Contributor”
az role definition list –custom-role-only -o table
az role definition list –name “Virtual Machine Contributor”

New-AzRoleAssignment -SignInName [email protected] -RoleDefinitionName “Virtual Machine Contributor” -ResourceGroupName ExamRefRG

$group = Get-AzADGroup -SearchString “Cloud Admins”
New-AzRoleAssignment -ObjectId $group.Id -RoleDefinitionName “Virtual Machine Contributor” -ResourceGroupName ExamRefRG

Comments are closed.