3.20 RBAC Demo

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

18 hours 43 minutes
Video Transcription
Welcome back here. In this episode, we're going to take some concepts from the last episode and go out to our azure portal to take a look at our back in our demo.
Our demo objectives include we're gonna review rolls and admin groups were gonna assign roles in admin groups and then also create a custom role inside the azure power shell. Let's jump out to the azure portal.
Here we are, back in our eyes, your portal. And first I want to go take a look at our admin groups that we talked about in the last episode we go into as your active directory and let's go take a look at Rolls and administrators.
Here we have all the admin roles that we can use to grant access to our azure active directory and then other Microsoft service is like we mentioned, like an exchange administrator or even an Azure develops administrator. We scroll through here. You'll see all the ones that are available convict pretty granular, such as a conditional access administrator
or even just a directory reader.
Like I mentioned, the global reader is a new one. It can read everything that a global admit can do, but it can't make any changes. So what I want to do is let's go into the global administrator role.
The only counting here right now is myself as the global Edmund. So I want to just assign another goal. Blood men for our tenant.
And here I have my Jeff admin account, which, if you remember from our azure 80 connect episode, this is actually being secret ized from my own premises. Active directory.
So there I now have a another global admin role inside of my tenant. Another thing I want to point out here. It's not covered in this exam, but it's definitely some important to know if you're going to be working inside of Azure is the privilege identity management, or Pim? And up here we have an option to manage the global admin role inside of Pim.
Pimp provides a couple of different options, but one of the things is just in time privileged access,
meaning if someone needs to be a global admin, but not all the time they can be given the permissions to say, Hey, I need to be a global admin for a little while. They're automatically put into the group after approval, and then they're automatically taken back out so they could just perform their little
function real quick that they need to. And then they aren't ago. Glad men anymore.
Let's go back to our roles and administrators,
and you find yourself in a position where one of these built in roles is not working for you. You can always create a new custom role
in here. Let's give it a name
and you can start from scratch or clone from a custom role. I'm just gonna start from scratch right now.
Here you can see all the permissions that are available for the different components and aspects inside of Azure, such as the directory itself.
So, for example, we could search for credentials,
and this will bring up the components we can assign to manage properties and credentials of AP registrations.
Then we can review and simply create our new custom role.
Next, let's go take a look at our roles that we have that we can assign to our azure resource is, and I want to start this off by going into our subscriptions,
will select my Microsoft Azure standard subscription here,
and we could go into access control or I am.
We can check access to review the level that a group or a user or other identity has on the existing resource.
We can take a look at our existing roll assignments
here. My global admin account that we've been using this entire time is also an owner on the subscription, meaning it can make all the changes that needs to and also a sign. Other users
we have deny assignments. We don't have any configured right now
and there we have a list of our individual built in roles that we have available
right at the top. We have the three that we talked about that apply to Resource is the owner contributor in the reader.
But as you can see, we have a lot more other rules that we can assign in here.
We also have roles for backup contributors, operators or readers,
and I think you get the idea. We can get pretty granular with these built in roles and assign them to users so they don't have full access to everything. But they just have access to the roles and responsibilities that they need to. Our resource is
so Let's go back to roll assignments. I want to give my Jeff admin permissions on this subscription.
Now my other Jeff admin account to be able to do anything theat Ben needs to. But I don't want that person to be able to assign permissions to other users. So I'm going to do here is just select the contributor role.
Now my other Jeff Admin account is a contributor for this subscription. And remember, this is also for everything else inside of the subscription. So resource groups, storage accounts, virtual machines, anything else inside the subscription, The Jeff Admin account will have access to
Bliss. Jump in and take a look at our other resource is and see how this can apply there.
Let's go check out our resource groups
here. I can go into this specific resource group and also go into access control.
Let's go check out our current role assignments.
You can see I have my Jeff Brown cyber very account, but also my Jeff admin because it inherited it from the subscription level.
But maybe this particular resource group is hosting an application or the virtual machines that only specific add men's need to have access to so I could come in here
at a role assignment.
And maybe this group of people just need to be a virtual machine contributor, meaning they can administer them but not make any other changes to other. Resource is in the resource group.
So I'm gonna select Jane Johnson. And now my Jane Johnson user will have contributor rights to the virtual machines inside this resource group. But on Lee, this resource group and not other once I have and then also other non virtual machine resource is inside the skirt.
So now we have Jane assigned to a built in role of the virtual Machine contributor. But let's say
none of the built in roles fit the needs that we have for one of our adamant that we have in our environment,
you do have the option of creating a custom role. And to do that, we're gonna jump out to Azure Power Show.
Now, I know we haven't talked about azure power show very much during this course, and it's something I'm saving towards the end that will cover.
But for right now, just understand. I have the power show module installed for Azure, and I've already connected to the service. So what I want to do is just take a look at the built in roll definitions that we have. And we can do that using the Get ese Roll definition Command.
And we're gonna pull up that virtual machine contributor role and hear this probably looks a little familiar. It's got a couple of things from our slides. We have the name, the actions, that not actions which are denies.
And then you can also get granular saying data actions and not actions
and then also the assigned herbal scope. But you see our actions here.
There's more to it that needs to be expanded. So let's take this.
We're going to convert it to Jason.
This looks a little bit better. Let's scroll up and take a look. So here we can see inside of our actions, the resource providers that we have that we've already discussed, like Microsoft It, like Microsoft Network and Microsoft dot compute. And these represent the different resource is we have inside of Asher.
So let's say I want to take this virtual machine contributor role and create a custom role based off of it.
We're going to keep our convert to Jason Command.
And I'm just gonna out file it
and call it new role dot Jason.
Now, I'm just gonna open this up in no pad, but she should be able to view and edit it in any type of text editor.
And here we have our role represented and Jason
And let's say I want this new role to not only be able to add public I p addresses to a virtual machines. I'm okay with them creating public I p addresses.
So I could take out all this right here and just put the wild card in there, and that will be able to give this role any access to public I p address. Resource is
now, before importing this, we do need to make a couple of other changes. We need to change our i d to know. And we are going to say this is a custom role,
and then down here, we need to give it an assigned herbal scope, and I'm gonna sign it to our subscription.
I go back to power show
I can run the get ese subscription,
and that's gonna give me the value of our Microsoft Azure standard subscription we've been using so far.
I'll save this.
Next. We're going to use the new ese roll Definition Command. We're gonna use input foul and specify our new role.
You can see the command's going to run some validation and make sure our Jason is correct. It looks like I made a small mistake when I modified it here.
If I go back and take a look, I just forgot to close out this quote here when I changed the public i p address resource provider,
Go and save that. And I also forgot to change our custom roll name. As you can see, it's gonna make sure you don't mess anything up and everything's in the right format.
So now we have our new role
and weaken. Find this by running another command.
We can run this to find all of our custom rolls,
and you see, I have my custom role is when I made previously, and then I have our new one here, the virtual Machine contributor with P I. P or public I. P. Address permissions.
So now let's go back out to our azure portal and assign this to one of our users
back here in the Azure portal. We're going to use this new role definition that we just made to assign it to someone inside this resource group. We click on add
search for a virtual machine.
We can see her new role right here.
I'm going to sign this to one of our users.
So now this user should be able to have all the same rights that the virtual machine contributor had, But with the option to manage public, I p addresses
one other thing. I want to show you with this built in role.
If we go take a look at our list of all the roles that are available
and search for it,
we'll see it here listed. And you see the type
is custom role. We have our custom name here that we put and also notice that the icon is different just for easy identification of the built in rolls in here
that does it for a demo. Let's wrap this up and go back to our slides.
That does it for a demo coming up next, we're gonna take a look at our next security feature by talking about how to configure multi factor authentication.
See you in the next episode.
Up Next