AZ-204 Microsoft Azure Developer Associate – Implement Azure Security part 4

15. AZ-203/ 204 – Role Based Access Control

Hi and welcome back. Now in this chapter, I want to explain the benefit of a concept known as rolebased Access control. Now, rolebased Access control allows you to give finegrained control or permissions over resources in Azure. Now, just to give you an an example on this here we have a virtual machine defined on the Azure platform. Now, in Azure, remember that you can define users. You can create users has per your organization structure. So you have multiple users defined in Azure. So these users could belong to your It department, could belong to your ETI department. So these users would be using the services in one way or the other on the Azure platform. Now, for the users itself, maybe you want to assign some sort of permissions for the resources in Azure.

Now, for example, let’s say for a group of users, you want them to have access to the virtual machine, but you don’t want them to have access to, let’s say, stop the virtual machine. Or maybe you don’t want them to have access to delete the virtual machine. Now, currently, VR login has the global admin. That’s why we have all the permissions for this virtual machine. But let’s say if another user logs into Azure, into our account, into our subscription, they should not have the ability to stop or delete the virtual machine. Maybe they can just view the status of the virtual machine. Maybe they can just log into the virtual machine, perform some installation, but that’s it. They are not allowed to stop or delete the virtual machine.

Now, maybe there might be a workload running on this virtual machine. That’s why you can’t stop or delete the virtual machine. For that, you might need to get prior authorization. So using role based access control, you can actually have this fine gain control over resources on the Azure platform. So this is the key benefit of rolebased access control. If you actually go on to the access control for a particular resource, this is where you can actually add a role assignment. So you can add role assignments to your resources in a zero. Now, please note that you can add role assignments, role based access control at the resource level. If you go on to resource groups, let’s go on to any resource group, you can add access control even at the resource group level.

Now, if you add the permissions at the resource group level, those same permissions will be assigned to the resources as part of this resource group. So let’s say you want to add permissions to a set of resources in a resource group. You would assign those permissions at the access control level. Now, apart from the resource group and the resource level. So let me go on to cost management billing. Let me go over on to cost management. Let me go over onto my subscription. Now, in the subscription itself, again, you have access control. So you can also apply access control at the subscription level as well. Now, that means that that will trickle down to the resource groups assigned to the subscription, and that will again trickle down to the resources that are part of the resource group.

So if you want to apply those permissions at the entire subscription level, you will do it here. If you’re want to assign it at a resource group level, you can do that. Or if you want to assign drill down at a resource level, you can do that as well. So this is when it comes to role based access control. Let’s move on to the next chapter where I’ll go a little bit in depth into role based access control, and then we look at a lab on the same as well. So this marks the end of this chapter.

16. AZ-203/ 204 – Lab – Role Based Access Control

Hi and welcome back. Now in this lab we are going to look at implementing rolebased access control. But before we go into implementing rolebased access control, I thought we’ll first have a look at the documentation wherein you have the built in roles for Azure Resource. Now this page is very important from all of the Azio exam perspectives. So on this page you will see the different built in roles that are available for ASIO resources. Now, the three common roles are the owner, the contributor and the reader role. So if you give the owner role, you can see that it allows you to manage everything including access to resources. If you have the contributor role, it will allow you to manage everything except access to resources.

A very important fact. If you have the contributor role, it lets you manage everything except access to resources. So this is very important, the key difference between the contributor and the owner role. And then finally you have the reader role. Now, apart from that, you have roles which are pertinent to the various services available on the Azure platform. So for example, if I scroll down, so if I go on to the storage account contributor, this allows or permits the management of storage accounts. And then you also have roles which are based on the services within a storage account. Now, if you go on to any one of the roles or let me go on to the storage account contributor role. So here you can see the description of the role itself.

Now in the role you have the description, the ID, and also the actions which are permitted as part of this role. So if you assign this role to a user or a group in a zero, these are the actions which will be allowed for the user. So for example, if you look at the storage accounts, so this is the type of access permission. So it’s Microsoft Storage Storageaccounts and the star means that all the actions under storage accounts is allowed as part of this role if you look at another example of an action. So let’s look at Microsoft authorization. So again, the permissions under Microsoft authorization, the Star means all the permissible types under Microsoft Authorization. But here we only have the read action, so not the right action, nor the read action.

So we can’t do anything else except for reading all the actions under Microsoft Authorization. So this gives you a good idea on the type of permissions that are allowed based on a particular role that’s available in Azure if you look at another role. So let’s look at the storage blob data contributor. So here you also have data action. So these are the actions that are allowed on the data that is stored in a storage container. So this is very important when it comes to all of the exams, the inbuilt roles which are available on the Azure platform. So now here we are on the Azure platform.

So, in order to implement role based access control, we are first going to create a user in Azeo Active Directory so that we can apply role based access to that user in Azure Active Directory. So this is your identity store and much more than that on the Azure platform. Now, if I go on to users, I already have a set of users that are defined in my Active Directory. So remember that in any organization you will not use your admin account for performing day to day activities. You’ll be creating users in Azure ad. You’ll be giving the required roles for the users to work with resources on the Azure platform. Now, when you create a user, I’m going to create a user as part of my default directory. So if I go back onto Azure Active Directory, so this is my default directory which is available.

So this is based on the email ID which I use to create my Azure account. And this is the entire directory name. So I’m just going to copy this, let me go back onto users, let me go on and create a new user. So here I’ll take the name of the user and the username. You can then show the password. So this is the password that’s going to be allocated to the user. I’m just going to go ahead and copy it to the clipboard and then let me go ahead and create the user. So now the user is in place. Now let’s go on to all resources. So here you can see that we have resources defined in Asia. So I have a storage account, a virtual machine, a virtual network. So there are different resources available currently in my dashboard. Now let’s say that I want to give this user the permission to work with virtual machines.

So the user should only be able to work with virtual machines and no other services on the Azure platform. And let’s say that I only want to give access permissions for this virtual machine to that particular user. So I’m giving it at the resource level. So for that I can go on to access control and here I can go ahead and add a role assignment. So remember, I’m adding a role assignment for this resource only. Now if you go on to the role so these are all the roles which I showed you in the Microsoft documentation. So if you search for virtual machine, so we have this virtual machine contributor which allows you to or allows a user or a group of users to basically manage virtual machines on the Azure platform. Let me go ahead and search for my new user. So it’s demo user.

So let me select that. Click on save. So now we’ve assigned a role to this particular user. Once this is done, let me go ahead and sign in with the new user. So I’ll use another account, I’ll sign in with the account. Enter the password. I just need to update the password. So I’m logged in as the demo user. Now, if I go on to the virtual machine service, here you can see that I have my virtual machine in place, so I can view the details of the virtual machine. So this access is basically based on the virtual machine contributor role. Now, if I go on to another service, let me go on to storage accounts. Now, here you can see that you can’t see the storage account which we created earlier. So in the dashboard, remember when we logged in as our account admin, we could see a storage account.

But here we can’t see the storage account. And that’s because we have not assigned permissions for this user for storage accounts. Even if we go ahead and try to create a new storage accounts, here you can see that I can’t even select a resource group if I click on Create new, let me try to create a new resource group. Here it’s clearly saying you don’t have permissions to create resource groups. So all of this has been done based on rolebased access control. Now let me log out and log in back as our account admin. So now what we’ve done is that we had given the permissions for the demo virtual machine under Access control. Now let me go ahead go on to role assignments.

So here you can see all your role assignments. Let me go ahead and delete this or remove this role assignment, right? So this is how you can remove an existing role assignment. Now, let’s say that you want to give access at a resource group level. So if you go on to resource groups, if you go onto Azure demo. Now let’s say you want to give access to all virtual machines in this particular resource group. So again, you can go on to Access Control. You can click on Add, add a role assignment. Again, let’s choose the virtual machine contributor role. Let me choose the user. Let me click on save. So remember, now I’m adding the user at the resource group level, not at the resource level. So now all the virtual machines which are defined in the resource group, this user will have access to all of those virtual machines.

Now, if I go back onto virtual machines, let me go on to demo VM, let me go on to Access Control, let me go on to Role Assignments. And now you can see that automatically there is the virtual machine contributor role for this particular user. And you can see the reason for this is because it has been inherited from the resource group. So you can add role based access control not only at the resource level, you can also add it at the resource group level. And remember, you can also add it at the subscription level. So if I go on to all services, if I go on to subscriptions if I go on to my subscription and go on to Access Control. So if you add the role assignment over here, it will be applied to all the resource groups which are part of this subscription. So this is how you can actually work with Rolebased Access Control in Azure. This marks the end of this chapter.

17. AZ-203 – Lab – Multi-Factor Authentication

Hi and welcome back. Now in this lab, let’s look at multifactor authentication. So before that, multifactor authentication is basically used to secure the login process. So in addition to the passwords that users can be asked for, there can be an additional method added to the login process. This makes it more secure. I think most of us are already used to multifactor authentication, even multifaceted banks. If you’re doing online banking, if you’re doing a particular transaction, it will always ask you at least for another authentication method. This could be a code via your mobile phone or maybe an application which is in your mobile phone that’s put into the bank itself.

Now, the default authentication methods are available apart from the passive for multifactor authentication are so the Microsoft Authenticator App, the SMS and a voice call. So let’s go ahead and understand how we can enable multifactor authentication. So here we are in Azure. If I go on to Azure active Directory. So I have my users, which are part of my Azure Active Directory account. Now over here there is a setting of MFA that’s multifactor authentication. Let me go on to additional cloud based MFA settings. Let me log in. Now if I go on to my users over here. So here I can see all my users. Now what you can do is that you can enable multi factor authentication for a user on a user by user basis. So let’s say I want to enable multifactor authentication for this user.

So I will choose the user and click on Enable. So I’ll say enable multifactor authentication. So now multifactor authentication is enabled for the selected account if I go on to the service settings. So here you can see the different methods that are available for users for the verification options. Now let me go ahead and try to log in as that user. So let me go ahead and first sign out. Now I’m going to log in as the dave user. Let me go on to Next. So now I’m entering the password. That’s the first level of authentication. But now it’s saying that more information is required to keep our account secure. So let’s go on to Next. So now it’s asking how should we have or what is the additional security variation we can have for this user? For step one, I’ll choose the authentication method as a phone number and I’ll choose the method as to send a code by a text message.

Let me go on to Next. So I’ve actually gone ahead and received a code on my mobile. So let me go ahead and enter that. Let me click on Verify, right? So that’s done. It’s also giving us an app password which you can use for existing applications. I’ll click on Done, and now I can go ahead and sign to my account. So each time now that I sign in, I will be prompted for multifactor authentication, right? So this is one way of enabling multifactor authentication. Let’s move on to the next chapter where we look at another way we can actually enable multifactor authentication for users.