Azure Hangout Demo Series – Governance 1a – RBAC and Azure Policy

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email
  • Scenario
    • Adatum Corporation wants to use Azure Role Based Access Control and Azure Policy to control provisioning and management of their Azure resources. It also wants to be able to automate and track provisioning and management tasks.
  • Objectives
    • Configure delegation of provisioning and management of Azure resources by using built-in Role-Based Access Control (RBAC) roles and built-in Azure policies
    • Verify delegation by provisioning Azure resources as a delegated admin and auditing provisioning events

Exercise 1: Configure delegation of provisioning and management of Azure resources by using built-in Role-Based Access Control (RBAC) roles and built-in Azure policies

  • Exercise Objectives
    • Create Azure Active Directory (AD) users and groups
    • Create Azure resource groups
    • Delegate management of an Azure resource group via a built-in RBAC role
    • Assign a built-in Azure policy to an Azure resource group
Task 1: Create Azure AD users and groups
  • GOAL
    • To create a new Azure AD user and group that will be assigned permissions later
  • STEPS
    1. Azure Portal → Azure Active Directory → Custom domain names
      • Make a note of the domain name
    2. Azure Portal → Azure Active Directory → Users → Create a new user
      • Name: aaduser01
      • User name: aaduser01@<DNS-domain-name> where <DNS-domain-name> represents the primary DNS domain name you identified earlier in this task.
      • Profile: Not configured
      • Properties: Default
      • Groups: 0 groups selected
      • Directory role: User
      • Password: Show Password → make a note of the password
    3. Azure Portal → Azure Active Directory → Groups → Create a new group
      • Group type: Security
      • Group name: Azure Subscription Contributors
      • Group description: Azure Subscription Contributors
      • Membership type: Assigned
      • Members: aaduser01
Task 2: Create Azure resource groups
  • GOAL
    • To create two new Azure resource groups
  • STEPS
    1. Azure Portal → Resource groups → Create new resource group
      • Resource group name: az01-RG
      • Subscription: Select your subscription
      • Resource group location: Select an Azure region (use the same region for the rest of the lab)
    2. Azure Portal → Resource groups → Create new resource group
      • Resource group name: az02-RG
      • Subscription: Select your subscription
      • Resource group location: Select an Azure region (use the same region for the rest of the lab)
Task 3: Delegate management of an Azure resource group via a built-in RBAC role
  • GOAL
    • To delegate the management of the “az01-RG” resource group to our newly created “Azure Subscription Contributors” Azure AD security group
  • STEPS
    1. Azure Portal → Resource groups → Select the “az01-RG” resource group → Access control (IAM) → Role assignments
      • Role: Contributor
      • Assign access to: Azure AD user, group, or service principal
      • Select: Azure Subscription Contributors
Task 4: Assign a built-in Azure policy to an Azure resource group
  • GOAL
    • To assign an Azure policy that allows the deployment of only the Standard_DS1_v2 VM SKU
  • STEPS
    1. Azure Portal → Resource groups → Select the “az01-RG” resource group → Policies → Assign Policy
      • Scope: az01-RG
      • Exclusions: leave the entry blank
      • Policy definition: Allowed virtual machine SKUs
      • Assignment name: Allowed virtual machine SKUs
      • Description: Allowed selected virtual machine SKUs (Standard_DS1_v2)
      • Assigned by: leave the entry set to its default value
      • Allowed SKUs: Standard_DS1_v2
      • Create a Managed Identity: leave the entry blank

Exercise 2: Verify delegation by provisioning Azure resources as a delegated admin and auditing provisioning events

  • Exercise Objectives
    • Identify an available DNS name for an Azure VM deployment
    • Attempt an automated deployment of a policy non-compliant Azure VM as a delegated admin
    • Perform an automated deployment of a policy compliant Azure VM as a delegated admin
    • Review Azure Activity Log events corresponding to Azure VM deployments
Task 1: Identify an available DNS name for an Azure VM deployment
  • GOAL
    • To identify a unique name that we will use for a VM deployment and to register the necessary resource providers
  • STEPS
    1. Azure Portal → CloudShell (PowerShell)
      • Verify the availability of a unique DNS name. Substitute the placeholder <custom-label> with any string which is likely to be unique and the placeholder <location-of-az01-RG> with the name of the Azure region in which you created the az01-RG resource group.
      • Verify that the command returned True. If not, rerun the same command with a different value of the <custom-label> until the command returns True.
      • Note the value of the <custom-label> that resulted in the successful outcome. You will need it in the next task

[code language=”bash”]
Test-AzDnsAvailability -DomainNameLabel <custom-label> -Location ‘<location-of-az1000101-RG>’
[/code]

    1. Run these commands:
      • These cmdlets register the Azure Resource Manager Microsoft.Network and Microsoft.Compute resource providers. This is a one-time operation (per subscription) required when using Azure Resource Manager templates to deploy resources managed by these resource providers (if these resource providers have not been yet registered)

[code language=”bash”]

Register-AzResourceProvider –ProviderNamespace Microsoft.Network
Register-AzResourceProvider –ProviderNamespace Microsoft.Compute

[/code]

Task 2: Attempt an automated deployment of a policy non-compliant Azure VM as a delegated admin

  • GOAL
    • To verify that RBAC allows the user permissions only to what they have access to and to verify that we’re not able to deploy a non-compliant VM
  • STEPS
    1. Azure Portal (in different browser or incognito mode) → sign in using the user account “aaduser01@<DNS-domain-name>” → Resource groups 
      • Note that you can only see the “az01-RG” resource group
    2. Azure portal → Create a resourceTemplate deployment → Deploy a custom templateLoad a GitHub quickstart template101-vm-simple-linuxEdit template
      • On the Edit template blade, navigate to the Variables section and locate the vmSize entry
      • Note that the template is using hard-coded Standard_A1 VM size
    3. Discard any changes you might have made to the template and navigate to the Deploy a simple Ubuntu Linux VM blade.
      • Subscription: the same subscription you selected in the previous exercise
      • Resource group: az01-RG
      • Location: the name of the Azure region which you selected in the previous exercise
      • Admin Username: Student
      • Admin Password: Pa55w.rd1234
      • Dns Label Prefix: the <custom-label> you identified in the previous task
      • Ubuntu OS Version: accept the default value
      • Location: accept the default value
    4. Note that the initiation of the deployment fails. 
      • Navigate to the Errors blade and note that the deployment of the resource is not allowed by the policy Allowed virtual machine SKUs.
Task 3: Perform an automated deployment of a policy compliant Azure VM as a delegated admin
  • GOAL
    • To verify that the deployment of a compliant template is successful
  • STEPS
    1. From the Deploy a simple Ubuntu Linux VM blade, navigate to the Edit template blade
    2. On the Edit template blade, navigate back to the Variables section and locate the vmSize entry.
    3. Replace the value Standard_A1 with Standard_DS1_v2 and save the change.
    4. Initiate a deployment again. Note that this time validation is successful.
    5. Do not wait for the deployment to complete but proceed to the next task.
Task 4: Review Azure Activity Log events corresponding to Azure VM deployments
  • GOAL
    • To review the activity logs for administration events
  • STEPS
    1. Azure Portal → Resource Groups → Select the “az01-RG” resource group → Activity log
      • Note the ones corresponding to the failed and successful validation events
      • Refresh the view of the blade and observe events corresponding to the Azure VM provisioning, including the final one representing the successful deployment.
Result: After you completed this exercise, you have identified an available DNS name for an Azure VM deployment, attempted an automated deployment of a policy non-compliant Azure VM as a delegated admin, performed an automated deployment of a policy compliant Azure VM as the same delegated admin, and reviewed Azure Activity Log entries corresponding to both Azure VM deployments.

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Azure logging and auditing series
Architecture

Azure Logging/Auditing Series (1) – Activity Logs

Azure logging and auditing play a critical role in the security and compliance strategy of any serious organization.  Collecting detailed information on events that happened

Do You Want To Boost Your Business?

drop us a line and keep in touch