How to create a Role Based Access Control (RBAC) using Azure portal, Powershell, and CLI.
- Let’s create a user and Group using the Azure portal.
💥Search for the Azure Active Directory in the search bar.
💥In the Azure Active Directory, — Under Manage — click on Users.
💥In the Users Blade, click on New user.
💥In the Basics Tab, provide the User Principal name and Display Name.
💥Copy the User’s Principal name.
💥Make sure the Auto-generated password is checked, Click on the Show password icon to note the password.
💥The username and password need to be shared with the user once they are created.
💥Once you have the required information, Click on Create.
💥In the users’ blade, the newly created user is visible. Successfully created the user Swetha Mudunuri 😍.
2. Using the Azure portal, let’s create a Group and add the User to it.
💥In the Azure Active Directory, Under the Manage section, click on Groups, as highlighted in the screenshot.
💥Select the Group type as Security, and provide the Group name.
💥In the Owners section, Click on No Owners selected, search for the newly created user, and select.
💥In the Members section, Click on No Members selected, repeat the same steps for adding the user search for the user, and select.
💥Click on Create in the Group blade.
💥Successfully created a group and added the user to the group using Azure Portal😍💥.
3. Let’s learn how to create a group and add a user using Powershell.
💥Open Powershell in the Azure portal and run the below command to create a password profile object.
$passwordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
💥Run the below command to set the password for the profile object.
$passwordProfile.Password = "xxxxxxx"💥Run the command to connect to Azure Active Directory.
Connect-AzureAD💥Run the following command to get the name of the domain saved in the “domainName” variable.
$domainName = ((Get-AzureAdTenantDetail).VerifiedDomains)[0].Name💥Below is the command to create a user account for Vijaya Lakshmi.
New-AzureADUser -DisplayName 'Vijaya Lakshmi' -PasswordProfile $passwordProfile -UserPrincipalName "Vijji@$domainName" -AccountEnabled $true -MailNickName 'Vijji'
💥Use the below command to list the newly created user.
Get-AzureADUser 
4. Create a group and add a user to the group using Powershell.
💥Use the below command to create a security group named “Cloud Admins”.
New-AzureADGroup -DisplayName 'Cloud Admins' -MailEnabled $false -SecurityEnabled $true -MailNickName CloudAdmins
💥Use the below command to list groups to see the newly created Cloud Admin Group.
Get-AzureADGroup
💥Capture the user details of “Vijji” into a variable “user”.
$user = Get-AzureADUser -Filter "MailNickName eq 'Vijji'"
💥Run the below command to add user Vijji to the Cloud Admin Group.
Add-AzADGroupMember -MemberUserPrincipalName $user.userPrincipalName -TargetGroupDisplayName "Cloud Admins" 
💥Use the below command to verify whether the Cloud Admin group contains the user “Vijji”.
Get-AzADGroupMember -GroupDisplayName "Cloud Admins"
Completed creating a user and adding it to a group.
5. Create a Business Analyst group and add a user using the CLI.
💥From the Azure Portal, Launch the cloud shell and make sure Bash is selected.
💥Run the below command to capture the domain name and the command to create a user named “Jan V”.
DOMAINNAME=$(az ad signed-in-user show --query 'userPrincipalName' | cut -d '@' -f 2 | sed 's/\"//') az ad user create --display-name "Jan V" --password "xxxxxx" --user-principal-name jan@$DOMAINNAME
💥Command to list the users to check whether Jan V is created.
az ad user list --output table
💥Use the below command to create a group named “Business Analyst”.
az ad group create --display-name "Business Analyst" --mail-nickname "BusinessAnalyst"
💥Command to list the group
az ad group list -o table
💥Capture the user details in the variable, refer to the below command.
💥Obtain the object property of the user “Jan V” and add the user to the group Business Analyst. Refer to the screenshot below.
USER=$(az ad user list --filter "displayname eq 'Jan V'") OBJECTID=$(echo $USER | jq '.[].id' | tr -d '"') az ad group member add --group "Business Analyst" --member-id $OBJECTID
💥Command to list the group, and let’s verify whether the Business Analyst group contains Jan V user 😀.
6. Assign the Virtual Machine Contributor role to the Business Analyst Group.
💥Open the Azure portal and Click on the Resource group. Select the subscription and provide the resource group name and region.
💥Click Review+Create to create the resource group.
💥Once the resource group is created, Go to a resource group and click on Access Control(IAM), as shown in the below screenshot.
💥Click on Add —> Add role assignment.
💥On the Add role assignment page, select the Virtual Machine Contributor role.
💥On the Members pane, Select members as “Business Analyst” and Click on Review and Assign.
💥Successfully assigned a role for the group “Business Analyst”. To verify the assigned roles, Click on Access Control (IAM) →Check access tab.
💥Enter the username “Jan V” in the search by name or email address.
💥Once the user account is selected, we can see the newly created role of Virtual Machine Contributor assigned to the user, whereas the rest of the users don’t have the role assignments.
💥Don’t forget to Clean up the resources once you finish practicing
Conclusion: In this blog, we created a user and added the user to a group using the Azure portal, Powershell, and CLI. We created a role named Virtual Machine Contributor, which is used to create and manage virtual machines, and assigned that role to the Business Analyst Group. I verified whether the user “Jan V” has the role assigned. Hence, using RBAC, we can control who has access to your resources and what they can do with those resources.
💎Thanks for taking the time to read my blog. Stay tuned for the next blog to learn about Azure Security hands-on.
