Alot of companies need to address their security by avoiding to much permissions and as a consultant I don’t want to have more permissions then I need to get the work done.
Here is how we use PowerShell to extract up to date permissions from Azure.
Get-AzureRmProviderOperation "Microsoft.Resources/*" | FT Operation, Description
Extract to a file:
Get-AzureRmProviderOperation "*" | FT Operation, description | Out-file C:\Temp\operations.txt
An example is joining a virtual machine to a vNet, without having permission to the Resource Goup or vNet Resource, but we need to allow them to use the network for hosting applications:
Get-AzureRmProviderOperation "Microsoft.Network/virtualNetworks/*" | FT Operation, Description Operation Description --------- ----------- Microsoft.Network/virtualNetworks/read Get the virtual network definition Microsoft.Network/virtualNetworks/write Creates a virtual network or updates an existing virtual network Microsoft.Network/virtualNetworks/delete Deletes a virtual network Microsoft.Network/virtualNetworks/peer/action Peers a virtual network with another virtual network Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read Gets a virtual network peering definition Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write Creates a virtual network peering or updates an existing virtual network peering Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete Deletes a virtual network peering Microsoft.Network/virtualNetworks/subnets/read Gets a virtual network subnet definition Microsoft.Network/virtualNetworks/subnets/write Creates a virtual network subnet or updates an existing virtual network subnet Microsoft.Network/virtualNetworks/subnets/delete Deletes a virtual network subnet Microsoft.Network/virtualNetworks/subnets/join/action Joins a virtual network Microsoft.Network/virtualNetworks/subnets/joinViaServiceTunnel/action Joins resource such as storage account or SQL database to a Service Tunneling enabled subnet. Microsoft.Network/virtualNetworks/subnets/virtualMachines/read Gets references to all the virtual machines in a virtual network subnet Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read Check if Ip Address is available at the specified virtual network Microsoft.Network/virtualNetworks/virtualMachines/read Gets references to all the virtual machines in a virtual network
We will use JSON code to create the custom role, and import the custom role using PowerShell.
{ "Name": "Standard Business Area Network Role", "Id": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c", "IsCustom": false, "Description": "Standard Business Area Network Role.", "Actions": [ "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/join/action" ], "NotActions": [ ], "AssignableScopes": [ "/subscriptions/dc9b2339-0138-4de6-b2c2-c7e9408fdfa4" ] }
To import using PowerShell save the code to a .json file and:
New-AzureRmRoleDefinition -InputFile C:\temp\CustomRBAC.json
Now to wrap this up, we need to assign that role to a resource and group/user:
New-AzureRmRoleAssignment -SignInName roy@johana30.sg-host.com -RoleDefinitionName JoinVnet -ResourceGroupName Network
But, there is a glitch in this matrix, this only work when creating a new VM. Not if your recovering from backup in Recovery Services Vault.
Please let me know when Microsoft fixes this 🙂
Leave a Reply
You must be logged in to post a comment.