How to Control Access to Azure Resources with RBAC

What do you do when you need to give access to a new employee to manage your Azure resources? Give them the root account information, of course! I joke. Please don’t do that. That user will need access to specific Azure resources via IAM roles, which we will discuss in this post. 

An Overview of Controlling Access to Azure Resources with RBAC

In this video, CBT Nuggets trainer Trevor Sullivan explains the process of using RBAC to control access to Azure resources.

Ready to Learn More?

Check out Trevor Sullivan’s Azure IAM tutorial online training course at CBT Nuggets. He’ll teach you the ins and outs of Azure IAM policy management in less than a weekend. Start a 7-day free trial today and start training.

What are IAM roles in Azure?

Most cloud service providers have role-based access control (RBAC) called IAM roles. Azure IAM roles assign users their read or write privileges to some or all the vendor’s cloud resource products. For instance, an accountant could be permitted to view subscriptions and billing in Azure without having access to anything else. 

Role-based access controls are a basic form of security. Products like Azure IAM extend role-based access controls even further by providing Azure users with incredibly granular permissions to Azure resources. Azure IAM’s only rival for such granular security policies might be the Linux OS.

How to Create an IAM role in Azure

Creating new IAM policies in Azure is much easier than with other cloud providers. Microsoft took the lessons learned from AWS, GCP, and even their in-house management solutions, like Active Directory, and made the Azure IAM policy assignment process easy as pie. 

1. Log into your Azure portal as an administrator

First, log into your Azure portal. You’ll need to access Azure with the primary administrative account or another Azure user account with the appropriate role-based access controls for assigning Azure IAM policies. 

Azure IAM policies are assigned through individual services. For example, if you want to give an accountant access rights to manage or change subscriptions in Azure, the Azure IAM policy for managing subscriptions needs to be assigned via the Subscriptions portal in Azure. 

2. Navigate to the Azure resource that needs a new IAM policy

Navigate to the product portal in your Azure account where you need to assign new Azure IAM policies. Once that product portal is loaded, select the resource where a new role-based access control policy needs to be assigned. Azure IAM policies are granular enough to assign IAM policies down to the specific resource. 

3. Click access control

Once the portal for the selected resource loads, locate the ‘Access Control (IAM)’ link from the left-hand navigation panel. The tools for managing Azure IAM policies will load in the primary Azure portal pane. 

4. Click +add, then role assignments

Next, locate the ‘Role Assignments’ link from the horizontal toolbar above the ‘My Access’ pane. The ‘+Add’ button above that toolbar is a smart button that will change context depending on which tool you select in each Azure portal.

In this case, after selecting ‘Role Assignment,’ an option will appear in the drop-down menu for that ‘+Add’ button labeled ‘Add Role Assignment.’ Click the ‘+Add’ button followed by the ‘Add Role Assignment’ option from its drop-down menu. 

5. After a modal appears, enter the user info

After selecting the “Add Role Assignment” option, a modal will open on the right side of the Azure management portal. That modal will contain options for adding and configuring a user for a new Azure IAM policy. 

6. Select the permissions

The first drop-down box labeled “Role” in that modal contains various pre-defined access policies. For instance, if you only want a user to be able to read resources and configurations for an Azure resource, choose the ‘Reader’ role. The video tutorial linked at the top of this article takes a deeper dive into the various pre-defined access roles Microsoft offers in Azure.

7. Select the user directory

The next drop-down box contains options to choose where the user account you want to configure lives. For most businesses, the user account will likely be part of an Active Directory group. So, select “Azure AD User Group.”

8. Enter the user name and save

Finally, in the last drop-down box, enter the specific user account that the new Azure IAM policy is being assigned to. This drop-down box has autocomplete features. Typing the username into this box will autofill a list of matching usernames. Select the appropriate username from that autocomplete list.  

Click the Save button in that modal. You’ve just successfully created a new Azure IAM policy. 

Final Thoughts

This article briefly discusses utilizing role-based access control mechanisms to create new Azure IAM policies. The next time your co-workers ask how to use role-based access control in Azure, you’ll be the IT hero they deserve. 

Understanding how Azure IAM policies work is vital to being a cloud engineer, a modern systems administrator, or an Azure solutions architect. While this article works as a great "how-to" for assigning new Azure IAM policies, it’s far from an exhaustive tutorial.