Azure Custom Role – Join VM to vNet

Alot of companies need to address their security by avoiding to much permissions and as a consultant I don’t want to have more permissions then I need to get the work done.

Here is how we use PowerShell to extract up to date permissions from Azure.

Get-AzureRmProviderOperation "Microsoft.Resources/*" | FT Operation, Description

Extract to a file:

Get-AzureRmProviderOperation "*" | FT Operation, description | Out-file C:\Temp\operations.txt

An example is joining a virtual machine to a vNet, without having permission to the Resource Goup or vNet Resource, but we need to allow them to use the network for hosting applications:

Get-AzureRmProviderOperation "Microsoft.Network/virtualNetworks/*" | FT Operation, Description

Operation                                                             Description                                                                                  
---------                                                             -----------                                                                                  
Microsoft.Network/virtualNetworks/read                                Get the virtual network definition                                                           
Microsoft.Network/virtualNetworks/write                               Creates a virtual network or updates an existing virtual network                             
Microsoft.Network/virtualNetworks/delete                              Deletes a virtual network                                                                    
Microsoft.Network/virtualNetworks/peer/action                         Peers a virtual network with another virtual network                                         
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read         Gets a virtual network peering definition                                                    
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write        Creates a virtual network peering or updates an existing virtual network peering             
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete       Deletes a virtual network peering                                                            
Microsoft.Network/virtualNetworks/subnets/read                        Gets a virtual network subnet definition                                                     
Microsoft.Network/virtualNetworks/subnets/write                       Creates a virtual network subnet or updates an existing virtual network subnet               
Microsoft.Network/virtualNetworks/subnets/delete                      Deletes a virtual network subnet                                                             
Microsoft.Network/virtualNetworks/subnets/join/action                 Joins a virtual network                                                                      
Microsoft.Network/virtualNetworks/subnets/joinViaServiceTunnel/action Joins resource such as storage account or SQL database to a Service Tunneling enabled subnet.
Microsoft.Network/virtualNetworks/subnets/virtualMachines/read        Gets references to all the virtual machines in a virtual network subnet                      
Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read     Check if Ip Address is available at the specified virtual network                            
Microsoft.Network/virtualNetworks/virtualMachines/read                Gets references to all the virtual machines in a virtual network

We will use JSON code to create the custom role, and import the custom role using PowerShell.

{
    "Name":  "Standard Business Area Network Role",
    "Id":  "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
    "IsCustom":  false,
    "Description":  "Standard Business Area Network Role.",
    "Actions":  [
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Network/virtualNetworks/subnets/read",
                    "Microsoft.Network/virtualNetworks/subnets/join/action"
                ],
    "NotActions":  [

                   ],
    "AssignableScopes":  [
                             "/subscriptions/dc9b2339-0138-4de6-b2c2-c7e9408fdfa4"
                         ]
}

To import using PowerShell save the code to a .json file and:

New-AzureRmRoleDefinition -InputFile C:\temp\CustomRBAC.json

Now to wrap this up, we need to assign that role to a resource and group/user:

New-AzureRmRoleAssignment -SignInName roy@johana30.sg-host.com -RoleDefinitionName JoinVnet -ResourceGroupName Network

But, there is a glitch in this matrix, this only work when creating a new VM. Not if your recovering from backup in Recovery Services Vault.

Please let me know when Microsoft fixes this 🙂


Leave a Reply

Ehlo!

I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts