I am looking for someone who's created a custom role in Azure for Network Administrators, that would be willing to share their handiwork. Why re-invent the wheel?
Thanks,
Rick
You can create a custom role like this:
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Virtual Machine Operator"
$role.Description = "Can monitor and restart virtual machines."
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Storage/*/read")
$role.Actions.Add("Microsoft.Network/*/read")
$role.Actions.Add("Microsoft.Compute/*/read")
$role.Actions.Add("Microsoft.Compute/virtualMachines/start/action")
$role.Actions.Add("Microsoft.Compute/virtualMachines/restart/action")
$role.Actions.Add("Microsoft.Authorization/*/read")
$role.Actions.Add("Microsoft.Resources/subscriptions/resourceGroups/read")
$role.Actions.Add("Microsoft.Insights/alertRules/*")
$role.Actions.Add("Microsoft.Support/*")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/c276fc76-9cd4-44c9-99a7- 4fd71546436e")
$role.AssignableScopes.Add("/subscriptions/e91d47c4-76f3-4271-a796-21b4ecfe3624")
New-AzureRmRoleDefinition -Role $role
It starts with an already existing role and then adds read permissions to compute, storage, etc.
Have a look at link for more information on how to create and configure custom roles.
Related
I have created an Azure VM in a VNet. The VM has no public IP, so the only way to log in is through Azure Bastion Host.
I have invited an external user and provided them the "Virtual Machine user login" access for the VM.
When the user tries connecting to the VM using Bastion, no field is displayed on the Bastion page.
Can anyone please help me to understand what can be the possible reason for this? Also, what permission do I need to give the user to successfully log in to the VM using Bastion Host?
I have followed these steps as well:
Provide the "Virtual Machine User Login" role to the invited user for Virtual Machine.
Provide the "Virtual Machine User Login" role to the invited user for Network
Interface Card(NIC) used with the Virtual Machine.
Provide the "Reader" role to the invited user for the Azure Bastion Host used to
connect to the Virtual Machine.
Please let me know if is there any issue with the steps or how should I troubleshoot it.
Along with assigned role, make sure to add below roles to invite the user:
Grant Contributor role of your resource group where vm is present
Grant Reader role of resource group where bastion is present
To connect to the Windows VM, make sure you have open Inbound ports: RDP (3389) and try to connect bastion host.
If still no field is displayed on the Bastion page, try to create an azure ad group add a user in that group and add role assignment to that group like below.
New-AzureADGroup -DisplayName "<name>" -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
Add-AzureADGroupMember -ObjectId <Groupobjectid> -RefobjectId <userobjectid>
Now, try to grant Virtual Machine User Login and reader role assignment to that group which makes connection successful.
You can make use of below PowerShell commands to assign the required role.
$group = Get-AzureADGroup -SearchString "<your group display name here>"
New-AzRoleAssignment -ObjectId $group.ObjectId -RoleDefinitionName "Virtual Machine User Login" -Scope /subscriptions/<your subscription id here>
New-AzRoleAssignment -ObjectId $group.ObjectId -RoleDefinitionName "Reader" -ResourceGroupName "<your Azure Bastion resource group name here>"
Reference:
Azure Bastion: Set the minimum required roles to access a virtual machine credits by Wim Matthyssen
I am new to Azure PIM and exploring its capabilities.
I have a use case in hand wherein I need to make the VM Admin role requestable via PIM. I am trying to build a custom role so that I can attach a single VM in the role as part of scope but am unable to do so. All the VMs that are present in the subscription/resource group are getting attached to the role which is not the requirement.
So, in short, is it possible to create a custom role with scope defined for a single VM only though there are multiple VM's in the subscription and(or) resource group.
Yes. You could do that with Az PowerShell cmdlet New-AzRoleDefinition.
Please refer to second example here. (Modify $subs = '/subscriptions/{subscription_id}/resourceGroups/{resourceGroup_name}/providers/Microsoft.Compute/virtualMachines/{VM_name}')
$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()
$role.Name = 'Virtual Machine Operator 2'
$role.Description = 'Can monitor and restart virtual machines.'
$role.IsCustom = $true
$perms = 'Microsoft.Storage/*/read','Microsoft.Network/*/read','Microsoft.Compute/*/read'
$perms += 'Microsoft.Compute/virtualMachines/start/action','Microsoft.Compute/virtualMachines/restart/action'
$perms += 'Microsoft.Authorization/*/read'
$perms += 'Microsoft.ResourceHealth/availabilityStatuses/read'
$perms += 'Microsoft.Resources/subscriptions/resourceGroups/read'
$perms += 'Microsoft.Insights/alertRules/*','Microsoft.Support/*'
$role.Actions = $perms
$role.NotActions = (Get-AzRoleDefinition -Name 'Virtual Machine Contributor').NotActions
$subs = '/subscriptions/{subscription_id}/resourceGroups/{resourceGroup_name}/providers/Microsoft.Compute/virtualMachines/{VM_name}'
$role.AssignableScopes = $subs
New-AzRoleDefinition -Role $role
Then you can assign this custom role to users in Azure Portal -> this VM -> Access control (IAM).
You can also use cmdlet New-AzRoleAssignment to assign the role.
New-AzRoleAssignment -ObjectId {objectID of the user} -RoleDefinitionName 'Virtual Machine Operator 2' -Scope /subscriptions/{subscription_id}/resourceGroups/{resourceGroup_name}/providers/Microsoft.Compute/virtualMachines/{VM_name}
Make sure the value of -Scope here is the same as AssignableScopes in the first script.
BTW:
In fact, I don't think it's necessary to attach a single VM in the role as part of scope.
When you assign the role to a user, you need to specify the scope as the second script above shown. You can create the custom role with all the VMs that are present in the subscription/resource group getting attached. When you assign the role, you specify only one particular VM as the scope. Then the user can only manage this VM, but not any other VMs.
is there any standard role that give privileges to start/stop Virtual Machines in Azure resource group without give also creation privileges or privileges to modify existing resources? I didn't found one in the documentation, the only solution is create custom roles?
yes, the only solution is to create custom role, sample powershell:
$subs = Get-AzureRmSubscription
# Resource start\stop role
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Resource Start/Stop (Scheduled)"
$role.Description = "Can read\start\stop VMs"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Compute/virtualMachines/deallocate/action")
$role.Actions.Add("Microsoft.Compute/virtualMachines/read")
$role.Actions.Add("Microsoft.Compute/virtualMachines/restart/action")
$role.Actions.Add("Microsoft.Compute/virtualMachines/start/action")
$role.AssignableScopes.Clear()
$subs | ForEach-Object {
$scope = "/subscriptions/{0}" -f $_.Id
$role.AssignableScopes.Add($scope)
}
$def = New-AzureRmRoleDefinition -Role $role
you can remove restart action if you dont need to restart vms
I am trying to automate the addition of azure virtual machines to azure ad security groups.
Add-AzureADGroupMember -ObjectId -RefObjectId
I am trying to find out the input for parameter -RefObjectId but no luck.
Is there a way to find out the refrence objectid of an azure virtual machine?
You need to enable MSI for the VM, then it will generate a service principal, I suppose you want to add the service principal of the VM to the AAD security group.
Follow the doc to enable MSI, then navigate to your VM -> Identity, you will see the Object ID, that is the property you need to pass to -RefObjectId.
#Joy wang
Thanks, that worked. apparently, i didnot automate identity on on the machines. I modified the arm script to turn on the identity on and i took the id from the output of
Get-AzureADserviceprincipal -searchstring "vmname"
I want to programmatically give an Azure VM a contributor role to another modify things in another resources such as Route tables, Storage accounts.
https://learn.microsoft.com/en-us/azure/active-directory/managed-service-identity/howto-assign-access-cli
Above msft doc explain how one can give MSI enabled VM a contributor role to Azure Storage Account using Azure CLI. Can someone achieve the same using Azure Python SDK instead of Azure CLI ? Is it possible to achieve the same purpose without enabling MSI?
If you create a Service Principal for your VM, and push somehow the credentials on the VM, you can avoid MSI. But MSI was created on purpose to avoid that, since it's not really a simple process nor safe to push credentials inside a VM.
To assign a role to an Active Directory ID (whatever using MSI or dedicated ServicePrincipal), you can use this code to assign role (using azure-mgmt-authorization package).
https://github.com/Azure-Samples/compute-python-msi-vm#role-assignement-to-the-msi-credentials
# Get "Contributor" built-in role as a RoleDefinition object
role_name = 'Contributor'
roles = list(authorization_client.role_definitions.list(
resource_group.id,
filter="roleName eq '{}'".format(role_name)
))
assert len(roles) == 1
contributor_role = roles[0]
# Add RG scope to the AD id
# This assumes "sp_id" is either a MSI id or a SP id
role_assignment = authorization_client.role_assignments.create(
resource_group.id,
uuid.uuid4(), # Role assignment random name
{
'role_definition_id': contributor_role.id,
'principal_id': sp_id
}
)
Then this AD id will be able to act only on that role and nothing more.