Use RBAC and Design a Custom Role

In this IT Pro Challenges virtual lab, learners are introduced to the skills required to design a custom role using RBAC. Exercises in this lab teach users how to assign built-in roles, permissions, CloudShell storage, and custom role JSON file. The topics covered in this lab are critical for learners to be effective in Azure administrator job rol...

45 minutes
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

This Learn On Demand Pro Series is part of a Career Path: Become a Network Engineer

Azure role-based access control (Azure RBAC) is a method that allows access control of Azure resources. Using Azure RBAC, administrators can separate tasks within the team and give only the required access to users to accomplish their jobs.

In this hands-on lab, you will use RBAC and design a custom role. First, you will assign built-in roles and verify permissions. Next, you will create and deploy an Azure virtual machine. Finally, you will use PowerShell to design a custom role. The other guided challenges in this series are "Use Azure Storage Explorer" and "Enable VM Backup Using Recovery Services Vault."

Understand the Scenario

In this virtual lab, you are an Azure administrator for a company that is migrating its primary web app from its on-premises datacenter to Azure. Your job is to allow developers to create and deploy Azure virtual machines by assigning an appropriate role. You also need to design a custom role definition, as a proof of concept. To accomplish this task, you will use an Azure resource group that initially contains no resources. You will create the necessary resources to complete the challenge.

Assign built-in roles and verify permissions

Azure role-based access control (RBAC) is the permission method you apply to control access to Azure resources. To allow access, you allocate roles to users, groups, service principals, or distributed identities at a special scope. In this section of the lab, you will learn how to assign built-in roles and verify permissions. First, you will use role-based access control (RBAC) to allow a developer to manage certain resources in the resource group corp-datalod12722810 by adding role assignments for the developer. The developer should only be able to manage the storage accounts, virtual machines, and networks. Next, you will verify the new access control by signing in to Azure and create a storage account with default settings in the resource group. Finally, you will check and verify that you have assigned the correct roles to the developer user account, and you have created the Azure Storage account successfully.

Create a virtual machine as a developer

Azure virtual machines (VMs) can be built through the Azure portal. This system gives a browser-based user interface to build VMs and their associated resources. In this section of the lab, you will now create a virtual machine as a developer. First, you will make sure that you are signed in to Azure as the developer. Next, in the corp-datalod12722810 resource group, you will create an Azure VM and Configure the VM to use Windows Server 2016 Datacenter. Next, you will set the size of the VM to Standard B2s with HDD managed disks and enable RDP access and then create a Server admin and turn off the Auto Shutdown option and disable all Monitoring options. Finally, you will check and verify that the Azure virtual machine has been created successfully, and the audit log shows that the developer has created the virtual machine.

Design a custom role

If the Azure built-in roles don't satisfy the particular requirements of your company, you can design your custom roles. In this section of the lab, you will learn how to design a custom role. You need to design a custom role named Virtual Machine Operator that allows the user to view virtual machine information and start and shut down virtual machines. First, you will start a CloudShell session using Windows PowerShell, choose the existing resource group corp-datalod12722810, and specify a new storage account cs12722810 and a new file share fs12722810 and then use East US for the location. Next, you will use the command to identify the operations associated with virtual machines and to retrieve the built-in role definition for Virtual Machine Contributor. Next, you will attempt to create a new custom role by executing a particular statement. You will receive an expected error stating that you are not authorized to create a custom role. Finally, you will check and verify that you have created the required CloudShell storage account, required CloudShell file, and required custom role JSON file successfully.

Lab Summary Conclusion

After completing the "Use RBAC and Design a Custom Role" virtual lab, you will have accomplished the following:

  • Assigned built-in roles and verified permissions.
  • Created a virtual machine as a developer.
  • Designed a custom role.


Follow A Path

Deciphering the essentials to enter a new career is hard, so we did it for you!

Focus on building your skills and take this learn on demand pro series in a guided Career Path.

Connect the pieces

Completing a Learn On Demand Pro Series is one thing, mastering the skill is another.

Master the skill and take this learn on demand pro series in an expertly designed Course.

Learning Partner
Comprehensive Learning

See the full benefits of our immersive learning experience with interactive courses and guided career paths.