Following least privilege with Azure RBAC custom roles

In this blog I am going to guide you through creating a custom role in Azure RBAC. This is not to be confused with custom roles in Azure AD, for which you need an Azure AD premium license for and only applies to Azure AD administration. An Azure RBAC custom role on the other hand is specific to Azure resources within a subscription.

Remind me what Azure RBAC is again..

Azure role-based access control (Azure RBAC) allows you to grant access to Azure resources by assigning a specific set of permissions to an Azure AD identity. You typically go through the following process when creating: Step 1: Decide on the scope – Should this apply to a single resource, a resource group or perhaps the whole subscription. Step 2: Decide on permissions – Typically a built-in role such as owner, contributor, reader Step 3: Assign to an identity – Can be a user, group, service principal or managed identity After the above is complete the identity can then access the resource based on the permissions you have granted.

So what’s the problem?

Considering its best practice to follow the principle of least privilege, there are scenarios where the built-in roles won’t fit your requirements. For example, what if you wanted to apply multiple resource specific permissions rather than granting access to everything? Well if this was applied at the resource group level, you’d end up with multiple entries like below:

In more complicated environments this list tends to grow and can get very confusing to manage, even when changing the ‘group by’ view option. You may also need to apply the same permissions to multiple resource groups, which could lead to a long-winded update process should the permission requirements change. Instead, an alternative option is to create a custom role that encompasses all the permissions and can then be applied to whatever scope you want. As an added benefit, when you update the custom role it will update all assignments. Another scenario might be that the built-in roles just do not provide what you need. One example of this is when you need to grant access to a single Azure Data Factory instance in the Azure portal. For this you are required to create a custom role with the ‘Microsoft.Resources/deployments/’ permission applied at the resource group level and then combine with the built-in contributor role at the data factory level. After that the user can then edit a single data factory.

Show me already…

As with a normal RBAC assignment first go to the scope you wish to create your custom role for. In this example I’ll be working at the resource group level and creating a custom role that allows a user to test a linked service connection within Azure Data Factory and nothing more. Step 1: From the ‘Access control (IAM)’ menu select ‘Add’ under ‘Create a custom role’

Note: If your role is similar to an existing role you can opt to clone that role by selecting the roles tab, searching for the role in question, clicking the 3 dots and then selecting ‘clone’. Step 2: Fill in the details to describe the role and click next

Step 3: Add the required permissions. This will depend on documentation specific to your requirement, however, a great reference for breaking down all the built-in roles can be found here. I use this regularly to pick and choose the permissions I need.

Step 4: Confirm the assignable scope is the correct resource group and click next. The role will only be available for assignment on this scope. You may wish to change this to the subscription level if you need to apply to multiple resource groups.

Step 5: The next page allows you to review and edit the JSON. Often, it’s easier to jump straight to this page and paste in the lines you need under the ‘actions’ block, again using the Microsoft reference as a guide. Click ‘Review + create’ and then ‘Create’ again.

Step 6: Now the custom role is created you can assign in just like a built-in role by going to the ‘Role assignments tab’ and clicking ‘Add’.

Azure RBAC. Conclusion

As more organisations move to the cloud so too does their work with third parties. The common approach with early cloud adoption may have been to over provision permissions due to lack of knowledge or just to keep things simple. By using custom roles your organisation can follow the principle of least privilege in a more manageable way and hopefully reduce security concerns or costs incurred by unsanctioned resources.

References:

Azure built-in roles – website contributor Azure Data Factory – custom roles  Azure custom roles

How can we help?

Silversands is a Microsoft Gold Partner of over 30 years standing,  which specialises in Microsoft 365 delivered across cloud (Azure) and hybrid IT infrastructures. We provide consultancy, support and user adoption services. We run regular webinars on Microsoft 365 and Azure, so please check out our schedule. If you need help and would like to have a chat about how Silversands might be able to help you, please complete the form below: