If you need to make user permission updates in an automated way, the Azure CLI can be a great option. In this post, I'll outline the two main sources of user permissions, roles and groups, and how they intersect.
With a combination of roles and groups, you can maintain granular permissions across many different projects while adhering to the principle of least privilege.
Azure roles are a flexible way to designate user permissions. With Azure RBAC (role-based access control), you can unlock access to certain resources and actions by assigning a user to a certain role, which comes with an accompanying set of permissions.
These are some examples of common built-in roles:
- Contributor: Can create and manage Azure resources
- Owner: Access to all resources and can extend access to others
- Reader: Can view only existing Azure resources
- User Access Administrator: Can manage access to Azure resources
You can narrow access further by assigning a user with a role in relation to a specific scope (e.g. resource group, application id, etc.). If you need a unique combination of permissions and expect to have similar use cases in the future, you can also create custom roles by providing either a JSON role definition file or a PSRoleDefinition object as input.
You will likely need to update someone’s role if they are new to your organization or have been assigned to a new project; or inversely, if they are leaving or no longer need access. Here are the steps for making these changes with the Azure CLI.
To assign a role to a user in Azure, you can use the “az role assignment create” command. You have to specify three components, the assignee, the role, and the resource groups or scope of access. In the following example, we’re assigning Reader access (role definition) to user John Smith for the scope of a certain resource group.
az role assignment create --assignee "firstname.lastname@example.org" \ --role "Reader" \ --resource-group "Acme-Group-1"
Next, to remove the role from the same user, we would use the “az role assignment delete” command. This command uses the exact same parameters:
az role assignment delete --assignee "email@example.com" \ --role "Reader" \ --resource-group "Acme-Group-1"
These commands should enable you to make these role updates manually, or script a repeatable workflow for new employees or new projects.
In GCP or AWS, Identify Access Management (IAM) groups are a way to extend access and authorization services/APIs to a team. Groups in Azure serve the same purpose, but Azure is slightly different in that groups are created directly using Azure’s Active Directory (AD).
You can create a new group using the command “az ad group create”, and specify a display name and a mail nickname. Here’s an example:
az ad group create --display-name AcmeGroupA --mail-nickname AcmeGroupA
Management of IAM groups in Azure involves the same kinds of tasks you would perform in typical user groups, whether it’s adding or deleting individual users, giving them specific levels of IAM permissions, or managing groups of users as a whole, among many others.
For example, you can assign a group with a certain role for a certain scope or resource group. To do this, you’ll first need to get the object ID for the group using this command:
az ad group show --group "AcmeGroupA" --query "id" --output tsv
The object ID will be a string of numbers in this format: “xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”
Now that you have the group ID, you can use the “az role assignment create” command to assign a role to that group:
az role assignment create --assignee "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \ --role "Contributor" \ --resource-group "Acme-Group-2"
The combination of user roles and group roles allows for organizations to have a flexible and secure solution for permissions as your company grows or projects change.
If you want to add a user to a group, you’ll need to run the “az ad group member add” command. You will need to plug in values for a group parameter (either the specific group id or display name) and a member-id parameter.
Here is an example of that command:
az ad group member add --group AcmeGroupA --member-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Removing a member from a group uses the same parameters, and uses the “az ad group member remove” command instead:
az ad group member remove --group AcmeGroupA --member-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
You can also use the same parameters with the “az ad group member check” command to check whether the member was removed from the group.
Hope you found this post helpful!