Azure Active Directory Role-based Access Control is here!

October 15, 2015 Chris Spanougakis

Another cool feature from the Azure AD group! For a long time, when you wanted to give people access to some specific tasks in Azure, this was not possible: you had to give them access to an entire Azure subscription. This is the idea behind the RBAC Access Control: we can now give to our users only the required permissions for just the tasks that they want to perform.

The biggest part of the job is done using the Azure Management Portal and the rest of it is done using the RBAC command-line management tools, which is a good idea to download them. Probably you’ve guessed right: it’s PowerShell.

The ideal scenario when we talk about identity management in Azure is this: we want to make sure that when people leave the company, should loose access to our Azure subscription. But even when they have access to our subscription, they should be allowed to perform only specific tasks, related to their role.

But what are the built-in roles that can be used? Take a look at the following list and click on the role that you want to see more:  

Role Names and Descriptions:

API-Management Service Contributor
Can manage Application Insights components

Application Insights Component Contributor
Can manage Application Insights components

Automation Operator
Able to start, stop, suspend, and resume jobs

BizTalk Contributor
Can manage BizTalk services

ClearDB MySQL DB Contributor
Can manage ClearDB MySQL databases

Contributor
Can manage everything except access.

Data Factory Contributor
Can manage data factories

DevTest Lab User
Can view everything, and connect, start, restart, and shutdown virtual machines.

Document DB Account Contributor
Can manage Document DB accounts

Intelligent Systems Account Contributor
Can manage Intelligent Systems accounts

Network Contributor
Can manage all network resources

NewRelic APM Account Contributor
Can manage NewRelic Application Performance Management accounts and applications

Owner
Owners can manage everything, including access.

Reader
Readers can view everything, but can’t make changes.

Redis Cache Contributor
Can manage Redis caches

Scheduler Job Collections Contributor
Can manage scheduler job collections

Search Service Contributor
Can manage search services

Security Manager
Can manage security components, security policies and virtual machines

SQL DB Contributor
Can manage SQL databases but not their security related policies

SQL Security Manager
Can manage the security related policies of SQL servers and databases

SQL Server Contributor
Can manage SQL servers and databases but not their security related policies

Classic Storage Account Contributor
Can manage classic storage accounts

Storage Account Contributor
Can manage storage accounts

User Access Administrator
Can manage user access to Azure resources

Classic Virtual Machine Contributor
Can manage classic virtual machines but not the virtual network or storage account to which they are connected

Virtual Machine Contributor
Can manage classic virtual machines but not the virtual network or storage account to which they are connected

Classic Network Contributor
Can manage virtual machines but not the virtual network or storage account to which they are connected

Web Plan Contributor
Can manage web plans

Website Contributor
Can manage websites but not the web plans to which they are connected

You can see an example here, where we will allow the creation of VMs to a specific group. Keep in mind that access management for subnets is only possible using Azure command-line tools:

http://blogs.technet.com/b/ad/archive/2015/10/12/azure-rbac-is-ga.aspx

You could also take a look at the following articles to learn more about Azure RBAC here and check some best practices here.