I need to give a colleague access to a development azure portal so that he can learn how to create web bots. As he has no experience of azure, I dont want to through him in the deep end, so would rather use RBACs, but I cant quite see what roles would be best to apply. I had been thinking about creating a resource group and then scoping the 'contributor' role assignment to the group, but would like to try to find a more granular approach where the type of resources the user can create are restricted eg excluding VMs and SQL server?
When you deploy a bot, typically these resources are created in the Azure portal:
Resources
Web App
App Service
App Service plan
Application Insights
Storage account
If you wanted to get really granular, you could make your colleague these built-in roles as these are the typical services deployed with a bot:
Web Plan Contributor
Website Contributor
Storage Account Contributor
Application Insights Component Contributor
Another approach would be to go the Resource Group route and assign a policy to audit the creation of services so you can give your college more room to test
Related
I am currently trying to work out a concept for a roles and rights concept. Azure RBAC already has a few built-in roles but I am trying to create a few more custom roles. Are custom roles directly linked to the RBAC? And does anyone have any suggestions which roles I should definitely add? I'm not familiar with all applications in Azure at the moment since i have only been working with azure for a few weeks, so I would appreciate some suggestions. I am also trying to understand the hierarchy and structure behind Azure RBAC.
If anyone has worked out such a concept themselves or works a lot with azure rbac, feel free to share your experiences or results!
Azure role-based access control (Azure RBAC) helps manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.
Create your own custom roles. Just like built-in roles, assign custom roles to users, groups, and service principals at management group (in preview only), subscription, and resource group scopes.
Custom roles can be shared between subscriptions that trust the same Azure AD directory. There is a limit of 5,000 custom roles per directory. Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API.
I am creating an API client for Azure Compute. I want the ability to start/stop/restart my Azure virtual machines.
In the past when I've created apps using the Graph API, I created a new app registration and then gave the app permissions for the actions I wanted under 'Microsoft Graph API' permissions list.
However, I cannot find Azure Compute listed in the available Microsoft APIs. I'm confused as to what I need to do in order to get API permissions for Azure compute as opposed to some of the other APIs.
I've spent the morning searching for tutorials or example implementations to look through, but combinations of Azure/Compute/API/permissions/etc... don't seem to ever come up with the results that I'm looking for.
Has anyone done something like this? Is it possible to use application permissions for Azure compute or is it entirely separate? Will it require a service account instead?
However, I cannot find Azure Compute listed in the available Microsoft
APIs. I'm confused as to what I need to do in order to get API
permissions for Azure compute as opposed to some of the other APIs.
The API you're looking for is Azure Service Management.
Once you add this delegated permission, you will be able to perform operations on your Virtual Machines provided your Service Principal is assigned an appropriate role (Virtual Machine Contributor, for example) in an Azure Subscription.
You can assign the App an RBAC role as though it were a user that you were giving permission to restart VMs. For example, you could go to the resource group that contains the VM, then go to Access Control (IAM) -> Add Role Assignment -> Add the app registration to the Contributor role.
We are developing applications in .Net and deploying them to Azure app services. We currently have a multi-tier environment (QA/STG/PROD). In order to replicate the same environments we are using slots. However, the issue with slots is all developers who has access to QA slot are able to view/modify STG / PROD slot settings. We want to segregate this with authorization where-in users should only be able to publish apps on QA. Should we still use slots or we go with separate web apps?
As suggested in one of the comments you can use RBAC (Role Based Access Control) to control the user permissions on the web app/slots.
Azure RBAC has three basic roles that apply to all resource types:
Owner has full access to all resources including the right to delegate access to others.
Contributor can create and manage all types of Azure resources but can’t grant access to others.
Reader can view existing Azure resources.
So, you could add the developers as a READER to the webapp and as a CONTRIBUTOR to one of the slots. This will prevent the web app changes
Further, you can customize the RBAC to suit your requirements.
You can create a role with custom
Refer this article:
https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-custom-roles/
You can go with slots. Each slot creates a separate URL and you could control access to the slots by Authenticating using AD.
https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
I have several App Services, and storage accounts set up in Azure. We have a Resource Group, which is a handy way to bundle together all the services and storage - for example, for tracking billing (other teams use the same subscription).
Now, I want to add a new Cloud Service, and have it included in the Resource Group. But then I see the Cloud Service listed at the same level as Resource Groups, which makes no sense.
Is it possible to include Cloud Services inside a Resource Groups, along with our App Services - and if not, what's the rationale?
Currently azure cloud services( web roles and worker roles) are not part of the Azure resource manager feature. Hence you cannot add a cloud service to a resource group. This is a requested feature in the azure feedback portal. You can go add your comments and cast your vote.
https://feedback.azure.com/forums/169386-cloud-services-web-and-worker-role/suggestions/7899432-add-cloud-services-as-an-available-resource-when-w
I need to assign publish permission to one of my developers so that he should be able to publish to only one cloud service & do not affect others.
Azure websites have these concepts called download publishing profile.
I could not find anything similar for cloud service. Can it be
achieved?
As you know Azure Management Portal does not have any role defined where we could map a user account login to manage a set of resources (say cloud service 1 & 2)
It is not possible as of today. It seems that it should be possible with Resource Groups and Role Based Access Control (RBAC) however currently cloud services can't be added in resource groups and assigned RBAC.
One way you could achieve this is have a custom application consuming Service Management API and implement your own RBAC in that application. However it is still a "hack" and not proper solution.
Why don't you try using "publish from source control"? When the developer checks in it will auto publish the code.
I believe the new portal will allow the creation of roles for publishing profiles; it already allows adding additional users to your organization; but to get what you want for now; publishing from source code should do the trick.