Configure Multi-Scope Resource Permissions

This Configure Multi-Scope Resource Permissions IT Pro Challenge helps learners understand what RBAC is and how to use it to manage permissions to allow user groups and how to create an Azure virtual network with subnets. They will also learn how to enable resource assignments.

1 hour 30 minutes
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »


In this Configure Multi-Scope Resource Permissions IT Pro Challenge, learners will use Role-Based Access Control (RBAC) to assign roles and verify permissions for user groups. They will also learn how to create a virtual network with multiple subnets and connect virtual machines to those subnets. In doing so, they will learn about network security groups (NSG) and resource assignments and get to test the proof of concept in this lab. The skills acquired in this lab are useful for system administrator roles.


For this hands-on lab, you are a system administrator who has been tasked with migrating your company’s primary web applications from an on-premises data center to Azure. As part of the process, you will need to use Role-Based Access Control (RBAC) to allow developers to create and deploy Azure resources. You will need to be mindful of security, so you will specify multi-scope resource permissions.

Role-Based Access Control (RBAC) is an access control mechanism that is used to define roles and privileges like role-permissions, user-role, and role-role relationships. RBAC can be used to implement both Mandatory Access Control (MAC) and Discretionary Access Control (DAC).

Assign roles and verify permissions

To begin, you will sign in to the Azure portal and use RBAC to add role-permissions for developers.

Create an Azure virtual network with subnets

In the Azure portal, you will create a virtual network with two subnets; one for front-end services and one for back-end services. Then you will create a Network Security Group (NSG) with an inbound rule to allow web traffic (HTTP and HTTPS) and associate the NSG with a subnet.

An NSG contains rules that allow or deny network traffic (inbound and outbound) to/from an Azure resource. When you associate an NSG to a subnet, the rules for that NSG apply to all the resources in the subnet.

Deploy Azure virtual machines to subnets

Now you are going to create two Azure virtual machines that are connected to the two subnets you created in the previous step of the lab.

Enable resource level assignment

Now you need to ensure that one of the developers can only access one of the virtual machines that you created and that they can’t assign permissions to anyone else. You will do a proof of concept by signing in as the developer and attempt to stop the virtual machine and assign rights to another user. Both attempts should be denied if you created the correct permissions.

Summary Conclusion

By taking this virtual lab, you will learn how to use RBAC to assign roles and verify permissions, create an Azure virtual network with multiple subnets, deploy virtual machines to those subnets, and enable resource level assignment.