Implementing an Azure policy comprises three main parts. We will start with the policy definition, policy assignment and scoping, and policy evaluation. Policy Definition There are many built-in policies, and users can write custom policies. You can see built-in policies by navigating to Azure Portal …
5. Once the values are entered as shown here, you can click Save to save the definition. 6. Now that you have created the custom policy, it will be added to the definitions within a few seconds. You can confirm if the policy is created …
When we discussed management groups, you saw that management groups can be used as a scope for policy assignment and for granting access. Policy scope is defined as the process of determining which subscriptions, resource groups, and resources for which the policy should be enforced. Supported scopes include management groups, subscriptions, and resource groups.
Policy assignment is the process of assigning a policy definition to a specific scope, say, management groups, subscriptions, or resource groups. In the same definition blade, you will see an Assign option, as shown in Figure 2.11.
Once you click Assign, you will be taken to the assignment process, and you will get the option to select the scope. Clicking the blue rectangle (refer to Figure 2.12) will show the available scopes including management groups, subscriptions, and resource groups. Based on the scope that you select, the policy will be assigned. After assignment, it takes around 30 minutes to generate the evaluation report. If you would like to assign your custom policy at the management group level, you should create the policy with the management group scope.
In Exercise 2.3, you will see the end-to-end assignment and evaluation process.
Policy Evaluation
After assigning the policy, the existing resources in your scope is reviewed to see if there are any noncompliant resources. Azure Policy offers a dashboard in which you can see the overall compliance of any selected scope and remediate any compliance issues.
Figure 2.13 exhibits a sample dashboard and overall compliance and noncompliant resources in the demo environment. The dashboard can be accessed from Policy ➢ Overview or the Policy ➢ Compliance blade.
In Exercise 2.3, you will see the end-to-end creation, assignment, and evaluation process of Azure policies. In the exercise, you will create a custom policy called “G series VMs are not allowed.” This policy will enforce a rule that G series VMs cannot be deployed to the scope. This helps in stopping users from creating expensive VMs like the G series.
Navigate to the Definitions blade and click Policy Definition.
In the next window, you need to provide the details such as the definition location, name of the policy, description of the policy, and finally definition itself. The following are the values you can give for completing this exercise: • Definition location: Select the management group or subscription where you would like to save the new policy definition. Here we are selecting a subscription for saving the definition. You can select your subscription. If you are planning to use this policy for a management group, then you should choose the management group as the location. Policies defined at the subscription level cannot be assigned to management groups.
Name: Specify a name for the policy that will be displayed in the policy list. Since we are creating the policy for blocking the deployment of G series VMs, you can give the name as “G series VMs are not allowed.”Description: This will be useful for other users to understand what this policy is about. Giving a good description is always recommended. In this case, we can add the description as Use this policy to block the deployment of G series VM.Category: You could specify to which category this new policy should be added. There are built-in categories for every service; if you want, you can create a new category altogether. This will be useful for filtering policies under a specific category while searching for policies. For the time being, you can mark the category as General.
Using initiatives, you can chain or combine multiple policies, assign them on a scope, and manage them without hassle. Like policies, you can use the built-in initiatives, or you can produce a custom initiative. The concepts related to policies such as assignment, scoping, definition, and …
Role-based access control (RBAC) is used for the access management of cloud resources. This is a critical function for any organization as we do not want unauthorized users to access our resources. You can follow the principle of least privilege and assign RBAC roles to …
Scope is not an unfamiliar word for us. You saw this term when we discussed management groups and policies. In RBAC, scope is used to define where exactly the security principal should have the permissions described in the definition.
Allowed scopes include management groups, subscriptions, resource groups, and resources. Unlike policies, you can have resource-level permissions. The access given to a higher scope is inherited by all child scopes.
FIGURE 2.16 Viewing the definition of a role using PowerShell
FIGURE 2.17 Viewing the definition of a role using the Azure CLI
Assignment
Combining the service principal (who), role definition (what), and scope (where) forms the assignment. In other words, the action of attaching a role definition to a security principal at a specific scope is called role assignment.
As an administrator, you will be creating the assignments to grant users access to particular scopes. The action mentioned in the role definition can be performed by these users as long as they have access to the scope.
Figure 2.18 illustrates how the security principal, role definition, and scope are combined to create a role assignment.
Now that you are familiar with the concepts, let’s learn the fundamental roles for RBAC.
Azure RBAC Roles
In this section, we will discuss the fundamental roles that every administrator should know. Additionally, we will cover the key differences between Azure AD roles, Azure RBAC roles, and custom roles.
Fundamental RBAC Roles
Azure provides 100+ built-in roles meant for providing granular access to each service; however, memorizing all these roles is not possible. These fundamental roles are useful in scenarios where you want to give full access or read-only access to a specific scope. If the fundamental roles or built-in roles are not able to meet your requirements, then you will go with the custom roles. There are four Azure fundamental roles that you should be aware of.
Owner Has full access to the scope to which this is assigned; also as an Owner you can delegate access to other users. For example, you as Owner can assign Owner or any other role to another user.
Contributor Has the same level of resource permissions as Owner; however, Contributor cannot delegate access to others.
Reader Assigns a read-only role.
User Access Administrator Can delegate access to other users; however, this role cannot manage any resources.
A common dilemma that everyone has is how the Azure AD roles are different from Azure RBAC roles and where exactly the classic roles fit. Let’s understand the differences between these concepts.
If you are new to Azure, you will find it a little confusing to understand the distinct roles in Azure and how they are different. When Azure was released, the RBAC roles were not there. We had something called the classic subscription administration roles. There …
Creating a Custom Role Using PowerShell 4. The VM related actions are part of the Microsoft.Compute/virtualMachines namespace. We need to find the operations available for this provider. The operations can be found using the command Get-AzProviderOperation “Microsoft.Compute/virtualMachines/*”. As shown here, you can see the operations …
Using custom RBAC roles, we can create fine-tuned roles that match your organizational needs. This customization offered by Azure RBAC is a boon for administrators. We can combine multiple roles and create a single role, or we can take a built-in role as a baseline and customize that. In next exercise, we will create a custom role using PowerShell.
We can always build from scratch or clone a role and modify it. It’s easy to clone and modify a role as there will be minimal chances of syntax errors as the structure is cloned from an existing role. To explain the components of the JSON definition, we will take the Owner as an example. We have already seen how to extract the JSON when we discussed role definition.
{ “Name”: “Owner”, “Id”: “8e3af657-a8ff-443c-a75c-2fe8c4bcb635”, “IsCustom”: false, “Description”: “Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.”, “Actions”: [ “*” ], “NotActions”: [], “DataActions”: [], “NotDataActions”: [], “AssignableScopes”: [ “/” ] }
Table 2.2 explains the meaning of each component in the JSON manifest.
Unique ID used to identify the role. When we create a custom role, we will leave this field blank, and Azure will automatically assign a unique ID to the role.
IsCustom
This flag denotes if the role is a custom role or not. Here we used Owner role, this is obviously not a custom role; hence, this flag is set to false (or BuiltInRole). If you are creating custom role, make sure this flag is set to true (or CustomRole).
Description
Description of the role.
Actions
Set of specific management operations that the role allows to perform.
NotActions
Set of actions that are excluded from allowed actions.
DataActions
Set of data operations that are allowed by the role.
NotDataActions
Set of data actions that are excluded from allowed data actions.
AssignableScopes
Set of scopes where the role is available for assignment.
The aforementioned properties are shown only in Azure PowerShell. When you are using the Azure Portal, Azure CLI, or REST API, the property names will be slightly different. However, you can easily figure them out. The following is the list of properties shown in the Azure portal, Azure CLI, or REST API:
roleName name type description actions [] notActions [] dataActions [] notDataActions [] assignableScopes []
In the definition, we can define what operational actions are allowed. Operations are specified in the format {Company}.{ProviderName}/{resourceType}/{action}. The {action} denotes the set of operations that you can perform on a resource type. For example, if you need to grant read access to virtual machines, then the string format will be Microsoft.Compute/virtualMachines/read. At this point, do not worry about how we derived this string. During the exercise, you will see an easy way to derive these operation strings. Table 2.3 shows the set of actions available.
To complete this exercise, you need to be an Owner or User Access Administrator.
In Exercise 2.4, you will create a role called Virtual Machine Supporter. This role should be able to start/stop VMs and manage support cases. Let’s get started.
You already saw what a role assignment is theoretically when we studied the concepts related to Azure RBAC. In this section, you will be reusing the custom role you created in the previous exercise and assigning that role to a user. Once it’s assigned, you …