Creating Dynamic Groups on Azure AD

00

Hey guys,

In today’s post, I’ll talk about a simple but very efficient subject, Dynamic Groups. Dynamic Groups are groups based on rules and if users match to a rule they will be added automatically in a group (Groups for devices can also be created). In other words, Dynamic Groups solve that pain of any administrator to keep their groups and distribution lists up to date. For example in the environment where I work we create groups based on locations, departments and the famous group “All”. From the moment you create the groups and rules, the only work needed from then on will be: Create the users correctly, I mean, fill in all the fields correctly so that this new user fits the rule that belongs to him.

That said, let’s get start.

Go to the Azure portal and open the “Azure Active Directory” blade.

Then select Groups > New Group and you will see the following screen (For this post I will create a group for email purposes, but you can use as a Security group as well). Fill up all the fields and select Dynamic User on Membership Type.

1

The next step is to create the rule that would add users automatically based on the added criteria.

In this example rule, all users who have the field department filled with the words “Information Technology” will be added to the GetPractical group automatically.

2

If you want to validate the rule, click on the “Validate Rules” tab, manually add some users and then click on ”Validate”. The rule will tell you which of the users you have added fits the criteria entered in your rule.

4

3

As you can see from my example above, only one of the users fulfils the criteria entered in this rule.

Now click save and then click create.

Just a point of attention: If you like me have the need to create a group for all employees, I advise you to create a rule that initially doesn’t work and then turn off the welcome email function. Unfortunately there is no possibility to turn off this feature during group creation, so the only way I found at this time was to create a rule that doesn’t work or a rule that only includes you and then turn off the welcome notifications and also the mapping from the group in Outlook.

7

In the image above the example of the welcome email and the group mapped in Outlook.

10

For you to turn off these two features you need to connect to Exchange Online (Microsoft 365) and execute the commands used above.

Example below:

Set-UnifiedGroup -Identity “All@getpractical.co.uk” -UnifiedGroupWelcomeMessageEnable:$false
Set-UnifiedGroup -Identity “All@getpractical.co.uk” -HiddenFromExchangeClientsEnabled:$true

That’s all for today guys, see you soon.

Joao Costa

Azure Files – Part 4 – Back Up for Azure Files

12

Hi guys! In today’s post of the Azure Files series (You can find out more about the series here), I will end the series talking about how to configure your environment to be backed up and have security in case of any data hijacking attempt through, for example, ransomwares.

Okay, let’s go straight to the configuration steps.

Create a Recovery Services vault

Sign in to your subscription in the Azure portal and search for Backup center in the Azure portal, and navigate to the Backup Center dashboard.

1

Select +Vault from the Overview tab and select Recovery Services vault and click Continue.

3

The Recovery Services vault dialog box opens. Provide values for the Name, Subscription, Resource group, and Location. Then hit Review and create.

Name: Enter a friendly name to identify the vault. The name must be unique to the Azure subscription. Specify a name that has at least 2 but not more than 50 characters. The name must start with a letter and consist only of letters, numbers, and hyphens.

Subscription: Choose the subscription to use. If you’re a member of only one subscription, you’ll see that name. If you’re not sure which subscription to use, use the default (suggested) subscription. There are multiple choices only if your work or school account is associated with more than one Azure subscription.

Resource group: Use an existing resource group or create a new one. To see the list of available resource groups in your subscription, select Use existing, and then select a resource from the drop-down list. To create a new resource group, select Create new and enter the name. For more information about resource groups, see Azure Resource Manager overview.

Location: Select the geographic region for the vault. To create a vault to protect any data source, the vault must be in the same region as the data source.

4

It can take a while to create the Recovery Services vault. Monitor the status notifications in the Notifications area at the upper-right corner of the portal. After your vault is created, it’s visible in the list of Recovery Services vaults. If you don’t see your vault, select Refresh.

Configure backup from the Recovery Services vault

The following steps explain how you can configure backup for multiple file shares from the Recovery Services vault pane. In the Azure portal, open the Recovery Services vault you want to use for configuring backup for the file share.

5

Next in the Recovery Services vault pane, select the +Backup from the menu on the top.

6

In the Backup Goal pane, set Where is your workload running? to Azure by selecting the Azure option from the drop-down list.

In What do you want to back up?, select Azure File Share from the drop-down list.

7

Select Backup to register the Azure file share extension in the vault.

After you select Backup, the Backup pane opens. To select the storage account hosting the file share that you want to protect, select the Select link text below the Storage Account textbox.

8

The Select Storage Account Pane opens on the right, listing a set of discovered supported storage accounts. They’re either associated with this vault or present in the same region as the vault, but not yet associated to any Recovery Services vault. From the list of discovered storage accounts, select an account, and select OK.

The next step is to select the file shares you want to back up. Select the Add button in the FileShares to Backup section.

The Select File Shares context pane opens on the right. Azure searches the storage account for file shares that can be backed up. If you recently added your file shares and don’t see them in the list, allow some time for the file shares to appear

From the Select File Shares list, select one or more of the file shares you want to back up. Select OK.

To choose a backup policy for your file share, you have three options:

  • Choose the default policy.
    This option allows you to enable daily backup that will be retained for 30 days. If you don’t have an existing backup policy in the vault, the backup pane opens with the default policy settings. If you want to choose the default settings, you can directly select Enable backup.

Prevent attacks

11

The update link opens the Security Settings pane, which provides a summary of the features and lets you enable them.

From the drop-down list Have you configured Azure AD Multi-Factor Authentication?, select a value to confirm if you’ve enabled Azure AD Multi-Factor Authentication. If it’s enabled, you’re asked to authenticate from another device (for example, a mobile phone) while signing in to the Azure portal.

10

When you perform critical operations in Backup, you have to enter a security PIN, available on the Azure portal. Enabling Azure AD Multi-Factor Authentication adds a layer of security. Only authorized users with valid Azure credentials, and authenticated from a second device, can access the Azure portal.

Checks have been added to make sure only valid users can perform various operations. These include adding an extra layer of authentication, and maintaining a minimum retention range for recovery purposes.

Authentication to perform critical operations

As part of adding an extra layer of authentication for critical operations, you’re prompted to enter a security PIN when you perform Stop Protection with Delete data and Change Passphrase operations.

That’s all for now! I hope it was useful guys, until the next post, thank you!

Joao Costa

Azure Files – Part 3 – AD SMB Authentication for Azure Files

AzFiles1

Hey guys! In the first two posts about Azure Files, I initially explained what Azure Files is (Click here to read) and also explained what would be the simplest way of configuring it, using the storage account’s access key (Read this post here).

When on-premises AD authentication is enabled for Azure Files, your AD domain-joined machines, regardless of whether they are in Azure or on-premises, will be able to use Azure Files using their existing AD credentials.

Prerequisites

  • Before you enable AD DS authentication for Azure file shares, make sure you have completed the following prerequisites:
  • Select or create your AD DS environment and sync it to Azure AD with Azure AD Connect.
  • You can enable the feature on a new or existing on-premises AD DS environment. Identities used for access must be synced to Azure AD. The Azure AD tenant and the file share that you are accessing must be associated with the same subscription.
  • Domain-join an on-premises machine or an Azure VM to on-premises AD DS. For information about how to domain-join, refer to Join a Computer to a Domain.
  • If your machine is not domain joined to an AD DS, you may still be able to leverage AD credentials for authentication if your machine has line of sight of the AD domain controller.
  • Select or create an Azure storage account. For optimal performance, we recommend that you deploy the storage account in the same region as the client from which you plan to access the share. Then, mount the Azure file share with your storage account key. Mounting with the storage account key verifies connectivity.
  • Make sure that the storage account containing your file shares is not already configured for Azure AD DS Authentication. If Azure Files Azure AD DS authentication is enabled on the storage account, it needs to be disabled before changing to use on-premises AD DS. This implies that existing ACLs configured in Azure AD DS environment will need to be reconfigured for proper permission enforcement.
  • Make any relevant networking configuration prior to enabling and configuring AD DS authentication to your Azure file shares. See Azure Files networking considerations for more information.
  • If you don’t have .Net Framework 4.7.2 installed, install it now. It is required for the module to import successfully.
  • Download and unzip the AzFilesHybrid module (GA module: v0.2.0+). Note that AES 256 kerberos encryption is supported on v0.2.2 or above. If you have enabled the feature with a AzFilesHybrid version below v0.2.2 and want to update to support AES 256 Kerberos encryption, please refer to this article.
  • Install and execute the module in a device that is domain joined to on-premises AD DS with AD DS credentials that have permissions to create a service logon account or a computer account in the target AD.
  • Run the script using an on-premises AD DS credential that is synced to your Azure AD. The on-premises AD DS credential must have either Owner or Contributor Azure role on the storage account.

Source: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable and https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable.

Ok, Let’s get started.

The process of enabling your  Active Directory authentication for Azure FIles is to join the storage account that you used to create the file share to your Active Directory. When you enable AD authentication for the storage account, it applies to all new and existing Azure file shares.

Step-by-step

First you will need to download this script, basically it is a module you will need to add to your powershell that will be used to enable “hybrid” Active Directory. To be honest, it will be a very simple task, basically you will need to follow the steps described in the text file that is inside the zip file.

$Url = ‘https://github.com/Azure-Samples/azure-files-samples/releases/download/v0.2.3/AzFilesHybrid.zip’

Invoke-WebRequest -Uri $Url -OutFile “C:\AzFilesHybrid.zip”

Expand-Archive -Path “C:\AzFilesHybrid.zip”

Next you will need to change the script execution policy in your PowerShell environment. To do this run the following command > Set-ExecutionPolicy –ExecutionPolicy  Unrestricted –Scope CurrentUser

image

Also if you don’t have the PowerShell module for Azure you will need to install it, do this using the command Install-Module Az –AllowClobber

Now, you need to connect your Azure and select the correct subscription, do this using the command shown below.

image

In my example above I have only one subscription associated with this user, however if you have more than one you can use the Get command shown in the screenshot to select the correct one.

Finally, register the target storage account in Azure with your Active Directory environment by specifying the domain name, the domain account type (You can choose between computer account or Service Logon Account), and the target OU name where the service/computer account will be created:

join-AzStorageAccountForAuth -ResourceGroupName “<resource-group-name>” -Name “<storage-account-name>” -Domain “yourLocalADDomain.co.uk” -DomainAccountType ServiceLogonAccount -OrganizationalUnitDistinguishedName “ou-name-attribute-value”

After the above command you can also confirm on AD if the account has been created, and also run the following commands that is going to show you the storage account Kerberos key, the directory service of the selected service account and the directory domain information (If the storage account has enabled AD authentication for file shares).

$storageacccount = Get-AzStorageAccount -ResourceGroupName “<resource-group-name>” -Name “<storage-account-name>”
$storageacccount | Get-AzStorageAccountKey -ListKerbKey | Format-Table Keyname
$storageacccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions

Also update the password for the service account before the maximum password age is expired and then update the AD account password for the Azure storage account by running the following PowerShell command:

Update-AzStorageAccountADObjectPassword -RotateToKerbKey kerb2 -ResourceGroupName “<resource-group-name>” -StorageAccountName “<storage-account-name>”

Also if you prefer, you can set the password to never expire in AD.

The expected end result should be like the screenshots below.

PS1

image

Now the last step should be to grant access permission to the appropriate users and groups, an identity (User, Group or service account) must have the necessary permission at the share level. To allow access, Microsoft provides three built-in roles to grant share-level permission for users.

Storage File Data SMB Share Reader – Allows for read access to files and directories in Azure file shares. This role is analogous to a file share ACL of read on Windows File servers. Learn more.

Storage File Data SMB Share Contributor – Allows for read, write, and delete access on files and directories in Azure file shares. Learn more.

Storage File Data SMB Share Elevated Contributor – Allows for read, write, delete, and modify ACLs on files and directories in Azure file shares. This role is analogous to a file share ACL of change on Windows file servers. Learn more.

You can use the Azure portal, PowerShell or Azure CLI to assign the built-in roles to the Azure AD identity of a user for grating share-level permissions.

To assign an Azure role to an Azure AD identity, using the Azure portal, follow these steps:

  1. In the Azure portal, go to your file share, or create a file share.
  2. Select Access Control (IAM).
  3. Select Add a role assignment
  4. In the Add role assignment blade, select the appropriate built-in role from the Role list.
    1. Storage File Data SMB Share Reader
    2. Storage File Data SMB Share Contributor
    3. Storage File Data SMB Share Elevated Contributor
  5. Leave Assign access to at the default setting: Azure AD user, group, or service principal. Select the target Azure AD identity by name or email address. The selected Azure AD identity must be a hybrid identity and cannot be a cloud only identity. This means that the same identity is also represented in AD DS.
  6. Select Save to complete the role assignment operation.

image

Now just test the access, if you did everything as mentioned here the result will be as follows:

image

image

That’s all for today guys, I’ll talk to you soon!

Joao Costa


Azure Files – Part 2 – Creating a SMB Share

smb-icon

Hello everyone! As promised in the first post about Azure File, today I will demonstrate how to create an Azure Files SMB share. However, first it is necessary to say that when we implement SMB shares with Azure, there are 2 basic scenarios. The first would be server to server and/or applications, in which case you can use standard admin account and access key. If you wanted to use your Active Directory domain identity with Azure Files, you will need to extend your domain to Azure (You can do this in 2 ways), that is, basically add the domain service in the Microsoft cloud, only in this one scenario you can integrate your storage account with identities, your users can each use their own domain account to use their file access privileges.

That said, let’s get down to the minimum requirements for using Azure Files on Windows machines (MacOS and Linux are also supported, but they’re not in the scope of this post).

image

Let’s get started!

Initially, to create an Azure Files you need to create a new Storage Account, because if you try to search Azure Files when creating a new resource, you will notice that nothing will be found.

image

Of course you can use an existing Storage Account, but for this post I will create a new storage account.

The important steps here is to create a resource group and the storage account itself, everything else you can customize according to your need or leave everything as default (If your don’t know how to create a Storage Account go to this post).

image

Hit ‘Review + Create’ and within 2 or 3 minutes you will have everything you need to create your Azure Files, Then click go to the resource. Once you have your new storage account open, hit the ‘File Share’ blade in the vertical menu on the left side.

image

 Just for observation, at the top of the screen above it says that the Active Directory is not configured, i.e. in this scenario I could not use the identity service without first enabling the domain service in Azure.

Continuing with our configuration, hit ‘+ File Share’, type the name, put the amount of GiB needed then select the access tier needed. For this post I selected the cheapest for demonstration purposes, but you must select it according to your need (You can access here the Microsoft link explaining about each tier and pricing).

image

Now that the share has been created, navigate to the one we just created and you can see that there aren’t many options here. The main option is the ‘Connect’ option.

Hit the ‘Connect’ option and you will see that Azure will provide a script for Windows, Linux and MacOS.

Basically you will need to choose which operating system you will have the driver mapped, the driver letter (For Windows OS only) and which authentication method will be used.

image

To finish the only thing to do is run this PowerShell script on the machine where you want to have the driver mapped, with the only requirement being port 445 open for communication with Azure. In this script provided by azure, it already contains the account and password to access the resource, and at the time of execution of the script there is no need to elevate your PowerShell session.

image

The result I hope after executing the script will be the driver mapped as in the example below.

image

It is also possible to add the mapping manually, you just need to follow the following steps.

1 – On the machine you want to map the drive, open Windows Explorer and hit ‘This PC’, then right click on the white space and select Add network location, after that hit ‘Next’ twice and you will end up to a windows that you need to specify the address for the location you want to add.

2-Go back to Azure Files on Azure portal and hit ‘Properties’.

3- Copy URL without the HTTPS and paste on your Windows Explorer screen, but don’t forget to add the ‘\\’ and also change all others for back slash ‘\’.  The result should be this:

image

4- Hit ‘Next’ and give a name for your network location, and hit ‘Next’ again.

5- Finally, it should ask for the user name and password to access the network location, so to grab that you need to go to Azure Portal again and grab it from your Azure Files Storage Account.

image

The credentials accessing format will be:

User: localhost\StorageAccountName

Password: StorageAccountAccessKey

Now you will be able to put your files these will be automatically synced to the cloud or your on-premises environment (Depending on where you create the file).

image

I would also like to demonstrate the features of Azure Files snapshot and how the backup works, but this post is already too big, for this reason I will reserve these subjects for the next ones. If you have any questions, leave in the comments, see you soon!

Joao Costa

Creating a storage on Azure

SA_logo

Today I’m going to show you how to create a storage in the Microsoft Azure portal. So straight to the point, let’s get start: First log on your Azure Portal, next go to the “Search Bar” and type “Storage Accounts“, after that select Storage Accounts and finally click “Create“.

image

Now let’s add the necessary information for each Storage, remembering which organization will have Storages according to your needs. I will detail each configuration (Required ones):

Basics tab

  • Subscription – Select the subscription for the new storage account.
  • Resource group – Create a new resource group for this storage account, or select an existing one. For more information, see Resource groups.
  • Storage account name – Choose a unique name for your storage account. Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only.
  • Region – Select the appropriate region for your storage account. Not all regions are supported for all types of storage accounts or redundancy configurations.
  • Performance – Select Standard performance for general-purpose v2 storage accounts (default). This type of account is recommended by Microsoft for most scenarios. Select Premium for scenarios requiring low latency. After selecting Premium, select the type of premium storage account to create. The following types of premium storage accounts are available:
  • Redundancy – Select your desired redundancy configuration. Not all redundancy options are available for all types of storage accounts in all regions. If you select a geo-redundant configuration (GRS or GZRS), your data is replicated to a data center in a different region. For read access to data in the secondary region, select Make read access to data available in the event of regional unavailability.
  • Advanced tab

    Networking tab
    • Connectivity method – By default, incoming network traffic is routed to the public endpoint for your storage account. You can specify that traffic must be routed to the public endpoint through an Azure virtual network. You can also configure private endpoints for your storage account. For more information, see Use private endpoints for Azure Storage.
    • Routing preference – The network routing preference specifies how network traffic is routed to the public endpoint of your storage account from clients over the internet. By default, a new storage account uses Microsoft network routing. You can also choose to route network traffic through the POP closest to the storage account, which may lower networking costs. For more information, see Network routing preference for Azure Storage.

    Then click Create.

    image

    After creation check it in your Storage accounts and by clicking on settings you can see all the parameters used in the Storage settings.

    image

    Thanks guys and see you on the next post!

    How to connect to Azure from PowerShell

    Today I will talk about how to use PowerShell. I know that there is already integrated access to the browser directly through the Azure portal, but the idea of this post is to show how to access it as in the old days and mainly to help those who do not know where to start.

    Well, let’s get started! If you have not yet installed the PowerShell module, I will demonstrate here how to do this, basically, you will need to open PowerShell as Administrator (Right-click and select “Run as administrator”), then execute the following command (Copy and Paste it):

    If you want the module to be available only to the user performing the procedure on this workstation, choose command 1, if not, you want the module to be available to all users of this workstation, choose command 2.

    1 – Install for Current User

    if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module -Name AzureRM -ListAvailable)) {
    Write-Warning -Message ('Az module not installed. Having both the AzureRM and ' +
    'Az modules installed at the same time is not supported.')
    } else {
    Install-Module -Name Az -AllowClobber -Scope CurrentUser
    }

    2 – Install for All Users
    if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module -Name AzureRM -ListAvailable)) {
        Write-Warning -Message ('Az module not installed. Having both the AzureRM and ' +
          'Az modules installed at the same time is not supported.')
    } else {
        Install-Module -Name Az -AllowClobber -Scope AllUsers
    }

    If you try to understand the commands, you will see that only the parameter –Scope is changed. My learning tip here is, always try to understand the command that is being executed, this will help you to become familiar with Cmdlets (CmdLets is the name given to the commands used in PowerShell).

    image

    If you want to understand more about the subject, here are some links that will help you learn.

    • Introducing the Azure Az PowerShell module

    From now on I am assuming you have already installed the Az Module and using PowerShell. Here is the simple command for your reference. The below command will connect to your Azure Account and it will connect to the default subscription.

    Import-Moduloe –Name Az

    Connect-AzAccount

    AzAccountConnected

    And if you have different subscriptions you have to set the default subscription with the below command.

    Set-AzContext ‘YOUR_SUBSCRIPTION_NAME’

    To Discover or list all the Az Module

    Get-Module Az.* -ListAvailable | Select-Object Name -Unique

    To discover the available cmdlets within a module we can use the Get-Command cmdlet. In this example, we browse all cmdlets within the Az.Account module:

    Get-Command -Module Az.Accounts

    You can use the Get-Help command to get help with any specific command

    Get-Help Get-AzVM

    image

    If want to see a few examples against this command you can use this.

    Get-Help Get-AzVM –Examples

    image

    That and everything for today. If you have any questions, leave them in the comments or contact us, it will be a pleasure to answer them Smile.

    Understand Azure Role Based Access Control (RBAC)

    Hi Folks!

    As I said weeks ago, I am studying to take Az-104 exam and I intend to detail here some of the topics that will be covered by the exam. For that reason today I decided to talk about RBACs.

    Identity and Access

    When it comes to identity and access, most organizations that are considering using the public cloud are concerned about two things:

    1. Ensuring that when people leave the organization, they lose access to resources in the cloud.
    2. Striking the right balance between autonomy and central governance – for example, giving project teams the ability to create and manage virtual machines in the cloud while centrally controlling the networks those VMs use to communicate with other resources.

    Azure Active Directory (Azure AD) and Role-Based Access Control (RBAC) work together to make it simple to carry out these goals.

    Azure subscriptions

    First, remember that each Azure subscription is associated with a single Azure AD directory. Users, groups, and applications in that directory can manage resources in the Azure subscription. The subscriptions use Azure AD for single sign-on (SSO) and access management. You can extend your on-premises Active Directory to the cloud by using Azure AD Connect. This feature allows your employees to manage their Azure subscriptions by using their existing work identities. When you disable an on-premises Active Directory account, it automatically loses access to all Azure subscriptions connected with Azure AD.

    What is RBAC?

    Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of resources in Azure. With RBAC, you can grant the exact access that users need to do their jobs. For example, you can use RBAC to let one employee manage virtual machines in a subscription while another manages SQL databases within the same subscription.

    What is role-based access control?

    You grant access by assigning the appropriate RBAC role to users, groups, and applications at a certain scope. The scope of a role assignment can be a subscription, a resource group, or a single resource. A role assigned at a parent scope also grants access to the child scopes contained within it. For example, a user with access to a resource group can manage all the resources it contains, like websites, virtual machines, and subnets. The RBAC role that you assign dictates what resources the user, group, or application can manage within that scope.

    The following diagram depicts how the classic subscription administrator roles, RBAC roles, and Azure AD administrator roles are related at a high level. Roles assigned at a higher scope, like an entire subscription, are inherited by child scopes, like service instances.

    rbac-admin-roles

    In the above diagram, a subscription is associated with only one Azure AD tenant. Also note that a resource group can have multiple resources but is associated with only one subscription. Although it’s not obvious from the diagram, a resource can be bound to only one resource group.

    What can I do with RBAC?

    RBAC allows you to grant access to Azure resources that you control. Suppose you need to manage access to resources in Azure for the development, engineering, and marketing teams. You’ve started to receive access requests, and you need to quickly learn how access management works for Azure resources.

    Here are some scenarios you can implement with RBAC.

    • Allow one user to manage virtual machines in a subscription and another user to manage virtual networks
    • Allow a database administrator group to manage SQL databases in a subscription
    • Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets
    • Allow an application to access all resources in a resource group

    RBAC in the Azure portal

    In several areas in the Azure portal, you’ll see a pane named Access control (IAM), also known as identity and access management. On this pane, you can see who has access to that area and their role. Using this same pane, you can grant or remove access.

    The following shows an example of the Access control (IAM) pane for a resource group. In this example, has been assigned the Contributor role to myself for the GetPractical resource group.

    image

    How does RBAC work?

    You control access to resources using RBAC by creating role assignments, which control how permissions are enforced. To create a role assignment, you need three elements: a security principal, a role definition, and a scope. You can think of these elements as “who”, “what”, and “where”.

    1. Security principal (who)

    A security principal  is just a fancy name for a user, group, or application that you want to grant access to.

    image

    2. Role definition (what you can do)

    A role definition is a collection of permissions. It’s sometimes just called a role. A role definition lists the permissions that can be performed, such as read, write, and delete. Roles can be high-level, like Owner, or specific, like Virtual Machine Contributor.

    image

    Azure includes several built-in roles that you can use. The following lists four fundamental built-in roles:

    • Owner – Has full access to all resources, including the right to delegate access to others.
    • Contributor – Can create and manage all types of Azure resources, but can’t grant access to others.
    • Reader – Can view existing Azure resources.
    • User Access Administrator – Lets you manage user access to Azure resources.

    If the built-in roles don’t meet the specific needs of your organization, you can create your own custom roles.

    3. Scope (where)

    Scope is where the access applies to. This is helpful if you want to make someone a Website Contributor, but only for one resource group.

    In Azure, you can specify a scope at multiple levels: management group, subscription, resource group, or resource. Scopes are structured in a parent-child relationship. When you grant access at a parent scope, those permissions are inherited by the child scopes. For example, if you assign the Contributor role to a group at the subscription scope, that role is inherited by all resource groups and resources in the subscription.

    image

    Role assignment

    Once you have determined the who, what, and where, you can combine those elements to grant access. A role assignment is the process of binding a role to a security principal at a particular scope, for the purpose of granting access. To grant access, you create a role assignment. To revoke access, you remove a role assignment.

    The following example shows how the Marketing group has been assigned the Contributor role at the sales resource group scope.

    image

    RBAC is an allow model

    RBAC is an allow model. What this means is that when you are assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. So, if one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you will have read and write permissions on that resource group.

    RBAC has something called NotActions permissions. Use NotActions to create a set of allowed permissions. The access granted by a role, the effective permissions, is computed by subtracting the NotActions operations from the Actions operations. For example, the Contributor role has both Actions and NotActions. The wildcard (*) in Actions indicates that it can perform all operations on the control plane. Then you subtract the following operations in NotActions to compute the effective permissions:

    • Delete roles and role assignments
    • Create roles and role assignments
    • Grants the caller User Access Administrator access at the tenant scope
    • Create or update any blueprint artifacts
    • Delete any blueprint artifacts

    Azure’s Certifications

    Hi Folks!

    Recently I’ve decided to renew my Microsoft certifications and also get new ones. Although I have already good years of experience working with Azure, I never tried to get its certifications, then because of that, I decided to start with Azure’s certifications.

    At the moment my certification target is the exam Az-104: Microsoft Azure Administrator. I’ve started my studies in the middle of January, so 2 weeks ago I decided to have a shot at the exam Az-900: Azure Fundamentals, just to have an idea of how my studies are going on, got approved on that \0/ !!

    image

    My Badge

    The exam isn’t that hard and has a lot of free content on the Microsoft Learn portal to help understand the exam measures (I will leave the link address at the end of the post).

    My study method:

    1. I always read the outline of the skills measured in each exam.
    2. If there’s anything I’m not familiar with, I’ll read the documentation available in Microsoft Docs (always free and up-to-date).
    3. If I don’t understand what the documents are saying, I use my tenant for proper validations.
    4. I always dedicate 20 to 40 hours (per exam) to perform the laboratories (On Azure you can have a free tenant for 30 days to do your validations).
    5. When it comes to new technology, I start by watching the training available in Microsoft Learn, Pluralsight and/or Udemy.

    That’s my method, share in the comments how’s your studies method?

    So from now on, I will start posting my study path to get approved on these certifications and try to share some acquired knowledge for the most important skill measured on the exams.

    Azure Free tenant: https://azure.microsoft.com/en-gb/free/

    Microsoft Learning: https://docs.microsoft.com/en-us/learn/

    Exam skills outline Az-900: https://docs.microsoft.com/en-us/learn/certifications/exams/az-900

    Exam skills outline Az-104: https://docs.microsoft.com/en-us/learn/certifications/exams/az-104

    Got it? Get Practical!