Custom RBAC for Azure
Hi Everyone,
There are many articles about creating custom RBAC role in Azure, but at times we end up none of the built role to fulfill our business or security requirement.
With the help of PowerShell, I have tried getting all the information related to the resource providers and their hosted services, so we can create our own custom RBAC role as per the business requirement.
Before we jump into creating custom RBAC roles, let’s get an Idea about how exactly it works at the backend.
Every service in Azure is hosted by a resource provider and whenever we add a specific resource in our azure subscription the resource provider hosting the service gets registered.
To check which resource providers are currently registered with your subscription please run the below mentioned command in the AZURERM PowerShell.
Get-AzureRmResourceProvider -ListAvailable| select ProviderNamespace , RegistrationState
To download AzureRM Powershell, please click on the link mentioned below,
/en-us/powershell/azureps-cmdlets-docs/
Note: - Login with global Admin account as all the roles will get saved in default directory of the subscription.
Since we all know that one directory can be default directory of multiple subscriptions, but this doesn’t mean we can use the rules created for one subscription in other subscription.
So, let’s assume a scenario where we have directory D1 which is default directory for two subscription S1 and S2.
-Now whenever any custom role will be created in either of the subscription the roles will get saved in the same directory but since the assignable scopes will be different they will remain isolated for both the subscriptions.
In order register all the resource provider for your subscriptions you can run the below mentioned command,
Get-AzureRmResourceProvider -ListAvailable| select ProviderNamespace , RegistrationState | Register-AzureRmResourceProvider
Note: - It’s not necessary to register all the resource provider as they will get automatically registered once the respective resources are added.
So for example: - If you add a “SERVICEBUS” in your subscription that resource provider “Microsoft.ServiceBus” will get automatically registered.
Note: - There is a limit of 2000 roles per tenant.
Any role (be it custom or built-In) in Azure is been divided into three parts,
Action: - The Actions property of a custom role specifies the Azure operations to which the role grants access. It is a collection of operation strings that identify securable operations of Azure resource providers.
NotActions: - Use the NotActions property if the set of operations that you wish to allow is more easily defined by excluding restricted operations. The access granted by a custom role is computed by subtracting the NotActions operations from the Actions operations.
Assignable Scopes: - The Assignable Scopes property of the custom role specifies the scopes (subscriptions, resource groups, or resources) within which the custom role is available for assignment. You can make the custom role available for assignment in only the subscriptions or resource groups that require it, and not clutter user experience for the rest of the subscriptions or resource groups.
Note: - The assignable scope for a resource or resource group can be found in the properties panel. (Resource ID).
Note: - We can only create custom RBAC roles for those resources for which we get IAM Services tab,
Below mentioned is the list of all the resource provider: -
| 84codes.CloudAMQP | Microsoft.Features |
| AppDynamics.APM | Microsoft.HDInsight |
| Aspera.Transfers | Microsoft.ImportExport |
| Auth0.Cloud | microsoft.insights |
| Citrix.Cloud | Microsoft.KeyVault |
| Cloudyn.Analytics | Microsoft.Logic |
| Conexlink.MyCloudIT | Microsoft.MachineLearning |
| Crypteron.DataSecurity | Microsoft.MarketplaceOrdering |
| Dynatrace.DynatraceSaaS | Microsoft.Media |
| Dynatrace.Ruxit | Microsoft.MobileEngagement |
| LiveArena.Broadcast | Microsoft.Network |
| Lombiq.DotNest | Microsoft.NotificationHubs |
| Mailjet.Email | Microsoft.OperationalInsights |
| Microsoft.ADHybridHealthService | Microsoft.OperationsManagement |
| Microsoft.Advisor | Microsoft.Portal |
| Microsoft.AnalysisServices | Microsoft.PowerBI |
| Microsoft.ApiManagement | Microsoft.RecoveryServices |
| Microsoft.AppService | Microsoft.Relay |
| Microsoft.Authorization | Microsoft.ResourceHealth |
| Microsoft.Automation | Microsoft.Scheduler |
| Microsoft.AzureActiveDirectory | Microsoft.Search |
| Microsoft.AzureStack | Microsoft.Security |
| Microsoft.Batch | Microsoft.ServerManagement |
| Microsoft.Billing | Microsoft.ServiceBus |
| Microsoft.BingMaps | Microsoft.ServiceFabric |
| Microsoft.BizTalkServices | Microsoft.SiteRecovery |
| Microsoft.Cache | Microsoft.Sql |
| Microsoft.Cdn | Microsoft.Storage |
| Microsoft.CertificateRegistration | Microsoft.StorSimple |
| Microsoft.ClassicCompute | Microsoft.StreamAnalytics |
| Microsoft.ClassicNetwork | microsoft.support |
| Microsoft.ClassicStorage | microsoft.visualstudio |
| Microsoft.ClassicInfrastructureMigrate | Microsoft.Web |
| Microsoft.CognitiveServices | Myget.PackageManagement |
| Microsoft.Commerce | NewRelic.APM |
| Microsoft.Compute | Paraleap.CloudMonix |
| microsoft.consumption | Pokitdok.Platform |
| Microsoft.ContainerRegistry | RavenHq.Db |
| Microsoft.ContainerService | Raygun.CrashReporting |
| Microsoft.ContentModerator | RedisLabs.Memcached |
| Microsoft.CustomerInsights | RedisLabs.Redis |
| Microsoft.DataCatalog | RevAPM.MobileCDN |
| Microsoft.DataFactory | Sendgrid.Email |
| Microsoft.DataLakeAnalytics | Signiant.Flight |
| Microsoft.DataLakeStore | Sparkpost.Basic |
| Microsoft.Devices | stackify.retrace |
| Microsoft.DevTestLab | SuccessBricks.ClearDB |
| Microsoft.DocumentDB | TrendMicro.DeepSecurity |
| Microsoft.DomainRegistration | U2uconsult.TheIdentityHub |
| Microsoft.DynamicsLcs | Microsoft.Resources |
| Microsoft.EventHub |
To list of all the built-in roles please run the below mentioned command.
Get-AzureRmRoleDefinition | select Name
To list only the custom rules please run the below mentioned command.
Get-AzureRmRoleDefinition -Custom
To get the list of valid actions for built in roles which can be used to create your own custom rule please add actions function call for every role, below mentioned is the list of roles available with my test subscription.
Note:- This list will vary depending upon the resources you have in your subscriptions.
| API Management Service Contributor |
| API Management Service Operator Role |
| API Management Service Reader Role |
| Application Insights Component Contributor |
| Automation Operator |
| Backup Contributor |
| Backup Operator |
| Backup Reader |
| BizTalk Contributor |
| CDN Endpoint Contributor |
| CDN Endpoint Reader |
| CDN Profile Contributor |
| CDN Profile Reader |
| Classic Network Contributor |
| Classic Storage Account Contributor |
| Classic Virtual Machine Contributor |
| ClearDB MySQL DB Contributor |
| Contributor |
| Data Factory Contributor |
| Data Lake Analytics Developer |
| DevTest Labs User |
| DNS Zone Contributor |
| DocumentDB Account Contributor |
| Intelligent Systems Account Contributor |
| Key Vault Contributor |
| Logic App Contributor |
| Logic App Operator |
| Monitoring Contributor Service Role |
| Monitoring Reader Service Role |
| Network Contributor |
| New Relic APM Account Contributor |
| Owner |
| Reader |
| Redis Cache Contributor |
| Scheduler Job Collections Contributor |
| Search Service Contributor |
| Security Manager |
| SQL DB Contributor |
| SQL Security Manager |
| SQL Server Contributor |
| Storage Account Contributor |
| Traffic Manager Contributor |
| User Access Administrator |
| Virtual Machine Contributor |
| Web Plan Contributor |
| Website Contributor |
To get the list of valid actions please run the below mentioned commands,
| (Get-AzureRmRoleDefinition -Name "API Management Service Operator Role").Actions |
| (Get-AzureRmRoleDefinition -Name "API Management Service Reader Role").Actions |
| (Get-AzureRmRoleDefinition -Name "Application Insights Component Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Automation Operator").Actions |
| (Get-AzureRmRoleDefinition -Name "Backup Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Backup Operator").Actions |
| (Get-AzureRmRoleDefinition -Name "Backup Reader").Actions |
| (Get-AzureRmRoleDefinition -Name "BizTalk Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "CDN Endpoint Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "CDN Endpoint Reader").Actions |
| (Get-AzureRmRoleDefinition -Name "CDN Profile Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "CDN Profile Reader").Actions |
| (Get-AzureRmRoleDefinition -Name "Classic Network Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Classic Storage Account Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Classic Virtual Machine Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "ClearDB MySQL DB Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Data Factory Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Data Lake Analytics Developer").Actions |
| (Get-AzureRmRoleDefinition -Name "DevTest Labs User").Actions |
| (Get-AzureRmRoleDefinition -Name "DNS Zone Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "DocumentDB Account Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Intelligent Systems Account Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Key Vault Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Logic App Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Logic App Operator").Actions |
| (Get-AzureRmRoleDefinition -Name "Monitoring Contributor Service Role").Actions |
| (Get-AzureRmRoleDefinition -Name "Monitoring Reader Service Role").Actions |
| (Get-AzureRmRoleDefinition -Name "Network Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "New Relic APM Account Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Owner").Actions |
| (Get-AzureRmRoleDefinition -Name "Reader").Actions |
| (Get-AzureRmRoleDefinition -Name "Redis Cache Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Scheduler Job Collections Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Search Service Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Security Manager").Actions |
| (Get-AzureRmRoleDefinition -Name "SQL DB Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "SQL Security Manager").Actions |
| (Get-AzureRmRoleDefinition -Name "SQL Server Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Storage Account Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Traffic Manager Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "User Access Administrator").Actions |
| (Get-AzureRmRoleDefinition -Name "Virtual Machine Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Web Plan Contributor").Actions |
| (Get-AzureRmRoleDefinition -Name "Website Contributor").Actions |
I have also attached an excel sheet with which you can create your own custom rule.
For this lab demo, I have added a load balancer on which we will try creating a custom RBAC role.
Requirement: - Let’s assume a requirement where we want a specific user to create Health probes for load balancer and apart from this he can’t manage any other service or resource.
The name of the resource (Load Balancer) is Custom_RBAC (LB) and the resource group in which it resides is RBAC resource group.
For this lab demo we will create a custom RBAC role at the resource group level.
Resource Group – RBAC.
Pre-requisites for creating RBAC role: - We must know the Assignable scope.
Assignable scope can be found for any resource and resource group; all you need to do is to navigate to the resource or resource group and click on properties as mentioned in the screenshot.
So, for this example the resource id is –
/subscriptions/#######/resourceGroups/RBAC
Actions Required: -
Microsoft.Network/loadBalancers/read
Microsoft.Network/loadBalancers/write
Microsoft.Network/loadBalancers/probes/*
Microsoft.Network/publicIPAddresses/join/action
Note: - The excel sheet might not list all the actions so we can check the owner permission on every resource to check the valid actions.
How to Create: -
Open the excel document and navigate to the Third sheet: -
Step 1 - Enter the name of the rule: - “RBAC_test for LB”.
Step 2 – Enter the description of the rule: - “Probe Access for LB”
Step 3 – Copy the actions to all the actions tab respectively.
Step 4 – Copy the assignable scope.
## Since we don’t have any actions that should be blocked leave the fields for not actions.
Not once all the values are set navigate to the rule sheet and you will find the custom rule already created for
you.
In this test example, it will be;
{
"Name": "RBAC_test for LB",
"Description": "Probe Access for LB",
"Actions": ["Microsoft.Network/loadBalancers/read","Microsoft.Network/loadBalancers/write","Microsoft.Network/loadBalancers/probes/*", "Microsoft.Network/publicIPAddresses/join/action",
"0",
"0",
"0",
"0",
"0",
"0"
],
"NotActions":[
"0",
"0",
"0",
"0",
"0",
"0",
"0",
"0",
"0",
"0"
],
"AssignableScopes": ["/subscriptions/##########/resourceGroups/RBAC"],
}
n Since excel auto populates the value of null cell as “0”.
n Delete the fields highlighted above.
Your custom rule is ready to be updated on the portal.
***{ ***
***"Name": "RBAC_test for LB", ***
***"Description": "Probe Access for LB", ***
"Actions": [
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/write",
"Microsoft.Network/loadBalancers/probes/*",
"Microsoft.Network/publicIPAddresses/join/action"
],
***"NotActions":[ ***
***],
"AssignableScopes": [ ***
*** "/subscriptions/###############/resourceGroups/RBAC"],
} ***
Run the below mentioned command to update the same.
New-AzureRmRoleDefinition -InputFile "C:\custom_RBAC_LB.json"
I hope this will help guys..!!