Configure Role Based Access Control (RBAC) for Storage Accounts

Azure AD includes complete identity management abilities such as multi-factor authentication, self-service password management, and device registration. Azure Active Directory can be used to allocate restricted users to handle identity jobs in less-privileged positions. Administrators can be designated for such goals as adding or modifying users, specifying administrative tasks, resetting passwords, maintaining user permissions, and maintaining domain names. To accomplish this, knowledge of role-based access control(RBAC) is crucial.

This IT Pro Challenge virtual lab challenges learners how to effectively use the RBAC for storage accounts and Blob Container. Other guided challenges in this series are “Create and Manage Shared Access Signature (SAS) Keys” and “Configure Security for Cosmos DB”.

Understand the Scenario

One of the most successful job roles related to the Microsoft Azure platform is the Azure administrator role. Since Microsoft Azure is continually extending its number of cloud services, many firms can progress quicker in their journey. Therefore, IT experts can get benefits for their careers by getting Azure administration skills.In this hands-on virtual lab, you are an Azure administrator for a company that is migrating its primary web app from its on-premises datacenter to Azure.The job responsibility is to allow developers and users to access Azure storage accounts by assigning appropriate roles, as a proof of concept. In this virtual lab, learners are provided with an Azure resource group called “@lab.CloudResourceGroup(1852).Name” that contains no resources. They will create the resources needed to accomplish the challenge.

Assign an RBAC role and verify permissions

The permissions needed to complete duties to configure management roles range depending on the method being implemented. Role-based access control (RBAC) is a process of checking network access based on the roles of different users within the company. RBAC allows users to have access rights just to the data they require to perform their functions and restricts them from obtaining data that doesn't concern them. As an Azure administrator, learners will learn how to:

• Use role-based access control (RBAC) to allow a developer with the given username to manage certain resources in the @lab.CloudResourceGroup(1852).Name resource group by adding a role assignment for the developer. The developer should only be able to manage storage accounts.
• Verify the new access control by signing in to Azure and create a storage account named sa11648040 with default settings in the @lab.CloudResourceGroup(1852).Name resource group.

In this IT-Pro challenge, learners will use Access control (IAM) to specify roles to grant access to Azure resources. It's also recognized as identity and access management.

Create a storage container as a developer

A container makes a set of blobs, just like a directory in a file system. A storage can add an infinite number of containers, and a container can save an infinite number of blobs. Blob storage is a characteristic in Microsoft Azure that allows to collect unorganized data in the cloud platform. This data can be obtained from any location and can add audio, video and text. In this segment of the challenge, learners will learn how to create a blob container called images. After creating a blob container, they will then upload any image file as a blob file into the container by specifying Authentication type as Account key, Blob type as Block blob, Block size as 64 KB.

Upload Blob data by using Azure AD user authentication

Azure Active Directory is responsible for giving an identity in the cloud. In other words, selecting authentication and authorization allows situations such as Conditional Access methods that need a user to be in a particular area or a location. This segment of the virtual lab teaches you how to use Azure Active Directory (Azure AD) to upload Blob data. To accomplish this task, learners will learn and follow the following best practices when setting up the Azure AD user authentication:

• Use RBAC to allow the user User1-11648040@cloudslice.onmicrosoft.com to upload blob data into the storage account named sa11648040 by adding a role assignment for the user at the resource level.
• Upload any image file as a blob file into the container by specifying Authentication type as Azure AD user account.
• Download the image file and open it to verify read access. Attempt to give access to another user by assigning a role to the container.

Lab Summary Conclusion

After completing the “Configure Role Based Access Control (RBAC) for storage accounts” virtual lab, you will have accomplished the following:

• Assigned an RBAC role and verified permissions.
• Created a storage container as a developer.
• Uploaded blob data by using Azure AD user authentication.