Microsoft Azure Roles & Subscriptions: A Brief Explanation (With Example – Step By Step)
Before starting our discussion on Azure administration roles, first we shall briefly explain some basic relevant concepts & terminologies:
1) Azure Account
2) Azure Subscription
3) Azure Resource Group
4) Management Group
After the above explanation, we shall explain the:
5) Azure Administration Roles
Then there shall be a practical guide / demonstration about:
6) Azure Roles Assignment (Step By Step)
So, Let’s get started!
Microsoft Azure account is an ID (i.e. Outlook or Hotmail ID trusted by Azure AD) which is used to login to the Azure Portal. You may have multiple subscriptions against one Microsoft Azure account.
Note: The account administrator role and service administrator role is assigned to the account which is used to subscribe for Microsoft Azure.
The Azure subscription is normally considered as logical entity linked with Microsoft Azure account. Azure subscription means how you will be billed for using the azure cloud service resources. The Azure resource usage reporting, billing and payment are controlled by Azure subscriptions. Each subscription has its own identification (ID) and billing.
A resource group contain Azure resources, which is linked with Azure subscription. Every Azure Subscription has its association with Azure AD. Users and groups which belongs to that subscription are present in the Azure AD. Access to resources in a resource group are authorized and authenticated by Azure AD.
In order to access resources from a resource group, a user should be there in Azure AD associated with its subscription. User roles determine the level of access granted to a particular user for resources in a resource group.
To efficiently manage Azure resources access, policies & compliance at subscription level, a logical grouping of subscriptions has been introduced by Azure which is called “Management Group”. All the conditions applied to a management group, are automatically inherited to all the subscriptions in that management group. Moreover, only one active directory tenant association is maintained by Azure for all the subscriptions which are linked with a single management group.
5.1 Classic Roles
5.2 Azure RBAC (Role Based Access Control) Roles
5.3 Azure Active Directory Admin Roles
Note: In Azure, there are two resource management & deployment models. i.e. Classic Deployment Models and Azure Resource Manager (ARM). However, the ARM is the recommended model by the Microsoft for new resources.
There are following three types of roles in Azure classic subscription:
5.1.1 Account Administrator
Full Access to all Azure resources.
5.1.2 Service Administrator
Full Access to Azure Resources, Manage Services, Authority to assign users the Co-Administrator role
Note: By default, the Account Administrator of a new subscription has the role of Service Administrator as well.
Limited Service Administrator Role
Note: The account administrator loses access to the portal, if the service administrator has been changed. Moreover, the service administrator has the limitation that it cannot add users from other directory. For example, if a user “email@example.com” has the role of service administrator. Then he can add a user “firstname.lastname@example.org” but he cannot add a user “email@example.com”.
The RBAC (Role Base Access Control) helps to provide access to Azure resources using Azure resource manager deployment model. This RBAC has around 70 different builtin roles which can be assigned to achieve the custom access rights as per requirement.
Note: Both ARM and Classic deployment models apply these roles at subscription and resource levels.
Source: Azure Documentation
Create & Manage Resources and No Delegation Rights (Cannot grant access to others)
View Resource (Cannot make any changes to the resources)
Create & Manage resources and delegation rights (Owner can grant access to others)
5.2.4 User Access Administrator
Holds root scope privileges, Helps in the management of user access to the Azure resources
5.3.1 Global Administrator
Manage access to administrative Features in Azure AD, Access to Services Federate to Azure AD, Reset Password for end users and other administrators
5.3.2 User Administrator
Create & Manage Users / Groups, Change Password for Other Users, Manage Support Tickets, Monitor Service Health etc.
5.3.3 Billing Administrator
Manages support tickets, subscriptions, purchases and monitors service health.
Step-1: Login to Azure portal and click “Azure Active Directory, as shown below:
Step-2: Click on “Users”, as shown below:
Step-3: Click on “New user”, as shown below:
Step-4: Select “Create user”, enter the new user details and then click “Create” button, as shown below:
Step-5: See the new user has been created, as shown below:
Step-6: Click “Home”, as shown below:
Step-7: Select a resource whose access you want to grant to the newly created user (i.e. rhassan).
Note: In this example we have used an already created virtual network resource i.e. “test-vnet-1”. If you want to see how this resource was created, please check my other article http://tiny.cc/nws7lz for reference.
Step-8: Select “Access control (IAM)”, as shown below:
Step-9: Click “Role assignments”, as shown below:
Step-9: Click “Role assignments”, as shown below:
Step-10: Click “Add”, then click “Add role assignment”, as shown below:
Step-11: Select “Owner”, then select “Azure AD user, group or service principal” and then select the newly created user (i.e. “rhassan”) as shown below:
Step-12: Select “Owner”, then select “Azure AD user, group or service principal” and then select the newly created user (i.e. “rhassan”) , then click “Save” as shown below:
The new user (i.e. rhassan) has been granted “Owner” level rights for the resource “test-vnet-1” successfully. [See image below]