The Ops Community

Cover image for Using the Azure CLI to Update and Manage User Permissions
Patrick Londa for Blink Ops

Posted on • Updated on • Originally published at blinkops.com

Using the Azure CLI to Update and Manage User Permissions

If you need to make user permission updates in an automated way, the Azure CLI can be a great option. In this post, I'll outline the two main sources of user permissions, roles and groups, and how they intersect.

With a combination of roles and groups, you can maintain granular permissions across many different projects while adhering to the principle of least privilege.

Understanding Roles with Azure RBAC

Azure roles are a flexible way to designate user permissions. With Azure RBAC (role-based access control), you can unlock access to certain resources and actions by assigning a user to a certain role, which comes with an accompanying set of permissions.

These are some examples of common built-in roles:

  • Contributor: Can create and manage Azure resources
  • Owner: Access to all resources and can extend access to others
  • Reader: Can view only existing Azure resources
  • User Access Administrator: Can manage access to Azure resources

You can narrow access further by assigning a user with a role in relation to a specific scope (e.g. resource group, application id, etc.). If you need a unique combination of permissions and expect to have similar use cases in the future, you can also create custom roles by providing either a JSON role definition file or a PSRoleDefinition object as input.

Assigning Roles with the Azure CLI

You will likely need to update someone’s role if they are new to your organization or have been assigned to a new project; or inversely, if they are leaving or no longer need access. Here are the steps for making these changes with the Azure CLI.

Adding a Role to a User

To assign a role to a user in Azure, you can use the “az role assignment create” command. You have to specify three components, the assignee, the role, and the resource groups or scope of access. In the following example, we’re assigning Reader access (role definition) to user John Smith for the scope of a certain resource group.

az role assignment create --assignee "john.smith@acme.com" \
--role "Reader" \
--resource-group "Acme-Group-1"
Enter fullscreen mode Exit fullscreen mode

Removing a Role from a User

Next, to remove the role from the same user, we would use the “az role assignment delete” command. This command uses the exact same parameters:

az role assignment delete --assignee "john.smith@acme.com" \
--role "Reader" \
--resource-group "Acme-Group-1"
Enter fullscreen mode Exit fullscreen mode

These commands should enable you to make these role updates manually, or script a repeatable workflow for new employees or new projects.

Understanding Groups in Azure

In GCP or AWS, Identify Access Management (IAM) groups are a way to extend access and authorization services/APIs to a team. Groups in Azure serve the same purpose, but Azure is slightly different in that groups are created directly using Azure’s Active Directory (AD).

You can create a new group using the command “az ad group create”, and specify a display name and a mail nickname. Here’s an example:

az ad group create --display-name AcmeGroupA 
--mail-nickname AcmeGroupA
Enter fullscreen mode Exit fullscreen mode

Management of IAM groups in Azure involves the same kinds of tasks you would perform in typical user groups, whether it’s adding or deleting individual users, giving them specific levels of IAM permissions, or managing groups of users as a whole, among many others.

For example, you can assign a group with a certain role for a certain scope or resource group. To do this, you’ll first need to get the object ID for the group using this command:

az ad group show --group "AcmeGroupA" --query "id" --output tsv
Enter fullscreen mode Exit fullscreen mode

The object ID will be a string of numbers in this format: “xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”

Now that you have the group ID, you can use the “az role assignment create” command to assign a role to that group:

az role assignment create --assignee "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
--role "Contributor" \
--resource-group "Acme-Group-2"
Enter fullscreen mode Exit fullscreen mode

The combination of user roles and group roles allows for organizations to have a flexible and secure solution for permissions as your company grows or projects change.

Adding or Removing a Users to Groups

If you want to add a user to a group, you’ll need to run the “az ad group member add” command. You will need to plug in values for a group parameter (either the specific group id or display name) and a member-id parameter.

Here is an example of that command:

az ad group member add --group AcmeGroupA
            --member-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Enter fullscreen mode Exit fullscreen mode

Removing a member from a group uses the same parameters, and uses the “az ad group member remove” command instead:

az ad group member remove --group AcmeGroupA
            --member-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Enter fullscreen mode Exit fullscreen mode

You can also use the same parameters with the “az ad group member check” command to check whether the member was removed from the group.

Hope you found this post helpful!

Discussion (2)

Collapse
kaiwalter profile image
Kai Walter

Sorry, did I miss something? But the 2 first commands are actually Azure PowerShell. Is this by intention?

Collapse
patrick_londa profile image
Patrick Londa Author

Thanks for catching that, @kaiwalter! I've just updated it now so it doesn't have any of those PowerShell commands mixed in.