Assigning A User A Contributor Role In Azure & Removing Role Assignments
Tutorial On Creating A New User & Inviting An External User
Introduction
Role-Based Access Control Assigning A User A Contributor Role In Azure & Removing Role Assignments(RBAC) is a key feature in Microsoft Azure that enables you to manage access to Azure resources. RBAC allows you to grant specific permissions to users, groups, or applications at a certain scope, such as subscription, resource group, or individual resource level. By using RBAC, you can control who has access to what resources in your Azure environment, ensuring security and compliance. Azure RBAC is an authorization system built on Azure Resource Manager(ARM) that provides access management to Azure resources.
In this blog post, we'll delve into the step-by-step process of assigning Azure roles using the Azure Portal. Whether you're a seasoned Azure administrator or just getting started, understanding RBAC and its implementation in Azure Portal can streamline your access management process and bolster your cloud security posture.
NOTE:
To control access to resources using Azure RBAC is to assign Azure roles and this role assignment consists of three elements: security principal, role definition, and scope.
Principal of security
An object that represents a user, group, service principal, or managed identity making a request for access to Azure resources is called a security principal. Any of these security principles can have a job assigned to it.
Role Definition A group of permissions makes up a role definition. Usually, it's just referred to as a role. A role specification describes the possible actions, such as
Azure role | Permissions |
Owner | Grants full access to manage all resources Assign roles in Azure RBAC |
Contributor | Grants full access to manage all resources Can't assign roles in Azure RBAC Can't manage assignments in Azure Blueprints or share image galleries |
Reader | View Azure resources |
Scope Scope is the set of resources that the access applies to. When you assign a role, you can further limit the actions allowed by defining a scope. In Azure, you can specify a scope at four levels: management group, subscription, resource groups and resources. Scopes are structured in a parent-child relationship. You can assign roles at any of these levels of scope.
Also note that Azure RBAC has several Azure Built-In roles that you can assign to users, groups, service principals, and managed identities. Role assignments are the way you control access to Azure resources, Access is granted by creating a role assignment, and access is revoked by removing a role assignment. If the built-in roles don't meet the specific needs of your organization, you can create your own Azure Custom Roles.
TUTORIAL ON ASSIGNING A USER A CONTRIBUTOR ROLE AS AN PREVILEDGED ADMINSTRTOR
To make a user an administrator of an Azure subscription, can only be done by a Global Administration at the subscription scope. The Owner role gives the user full access to all resources in the subscription, including the permission to grant access to others.
How To Create A Group In Azure: Firstly we will create a group in Azure where our users will put in to logically arrange ,easily and differentiate our users and their roles.
On the Homepage search for Microsoft Entra ID
"Click On" "Groups"
"Click On" "New group"
Input all the necessary details
A security group can have users, devices, groups, and service principals as its members, but a Microsoft 365 group can only have users as its members. For this tutorial i selected security
"Click On" Add Owner" and it will prompt you to the page on the right. Select user "Tick box" of "user" and "Click On" "Select"
- Successfully created a group for the new users
Learn How To Create A New User : You can also use Azure Powershell and Cli to create a new user
Sign in to the Azure Portal
In the search box at the top, search for Microsoft Entra ID formerly known as Azure Active Directory
-
"Click On" "Users"
- "Click On" "New User" then "Click On" "Create new user"
Fill in the settings ,Let's begin to fill in details for the Basic Settings
Note down your Azure generated password
"Click On" "Next: Properties"
5b. Member: This B2B collaboration user has an account in an external Microsoft Entra organization or an external identity provider (such as a social identity) and member-level access to resources in your organization. Guest: Most users who are commonly considered external guests have limited permission ,they have guest-level permissions in the resource organization. Fill in your "Identity" Assign user as a "Member"
"Click On" "Next: Assignments"
- On the Assignment Settings Add to a Group it will prompt you to the page on the right "Tick Box" "Add Group" then "Click On" "Select"
7 Successfully Created a new user
How To Create To Invite An External User
- "Click On" "New User" Select and "Click On" " Invite external user"
- This will prompt you to the invite external user page. Input all the necessary details. You can also choose to send an invite message which will notify the user through an email. "Click On" "Next: Properties"
- On the properties settings page fill in all the necessary details
"Click On" "Next: Assignments"
4. On the Assignment Settings Add to a Group it will prompt you to the page on the right "Tick Box" "Add Group" then "Click On" "Select"
7.Note: You can Add Role to user "Click On" " Add role" It will prompt you to Directory roles on the page open on the right to select a role for the user but for this instance we will not be selecting any roles. "Select" "Review + invite"
- "Click On" "Invite"
The user's name will appear on this page reflecting its display name, user principal name, user type, identity etc
An Invite will sent to your email Accept the Invitation the Use the link in the email to have access to your directory.
How To Assign A Contributor Role To A User
- Go to Homepage on the search bar Type "Subscription" and "Select" then it will prompt you to the below then "Click On" your "Subscription"
"Click On" " Access control(IAM)" then "Click On" "Add"
"Click On" "Add role assignment"
On the add role assignment page, "Click On" "privileged administrator roles" Then Select role "Click On" "Contributor" Go to "Next"
Once you've selected the role, click on the "Members" tab to proceed with assigning a user. "Click On" "Selected user name" then "Click on Select"
The member automatically appears on the Add role assignment page. "Click On" "Review +assign"
On your subscription the user is displayed as a contributor as seen below
NOTE: Overview of the group created and 2 users added to it
**
How To Remove Azure Role AssignmentOpen Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.
Click the Role assignments tab to view all the role assignments at this scope.
In the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.
-
In the remove role assignment message that appears, "Click On" "Yes"
By following these steps, you can effectively assign Azure roles using the Azure portal, ensuring that users have appropriate access to Azure resources based on their roles and responsibilities.