Access Management is an important factor to ensure who is accessing a resource on Azure, you can create a resource and you can assign permission based on the assignment level or policies that you have endorsed towards a user or group on Azure. This will help you to restrict people accessing the azure resource on your subscription who are on the same Azure AD. Access Management on Azure can be controlled by using Access Control (IAM).
Access Control on Azure has the following components to be touch based before you configure it.
- Creating Users on Azure AD
- Assigning Users towards Groups
- Adding policies towards groups over a role assignment
Heads up for Users and Groups:
User – An user is an individual profile on Azure AD on which you can assign roles to users who are at other tenants.
Groups – Number of users tagged on to a role policy can be tagged as a group. Roles are supposed to be similar which you tag towards a group.
Now follow the below steps to create a user on Azure AD, add roles and policies to a group and take access of Role Based Access Control.
Step : 1 Log into Azure Subscription> Click on Azure Active Directory.
Step 2 : Click on Users.
Step 3 : Click on New User
Step 4 : Enter the details.
Step 5 : Choose the Type of Role for User, here we choose “User”.
Step 6 : You can also choose “Limited User” role.
Step 7 : Click Create.
Step 8 : Once user is created, Click All Users > Click US (The initials of user that you created).
Step 9 : Once your User blade opens > Click Groups.
Step 10 : Click Add.
Step 11 : Type the name of Group in which you want to add User or choose from list, here “Demo”> Click Select
Step 12 : Viewing the Added Group.
Step 13 : Go to Dashboard > Click Resource Groups > Select Resource Group containing some resources, here “myrg” > Click Access Control (IAM).
Step 14 : You can view the list of Roles Assigned to various Users and Service Principals within the Resource Group > Click Add.
Step 15 : In Add Select Add role assignment.
Step 16 : Select a role from the list (You can hoverthe mouse pointer over the “i” next to each role, to see a brief about what the roles can and cannot do).
Step 17 : Select the Resources to which you want the user to have access to, here “Azure AD user, group or service principal”.
Step 18 : Type the name of the user you created, here “user1”> Select user1.
Step 19 : Once you have selected the user > Click Save.
Step 20 : Go to Dashboard > Click Resource Groups > You will see that only one Resource Group, here “myrg” because only this is assigned to the user with Reader role > Click Resource Group name, here myrg.
Step 21 : From the List of Resources > Select the resource, here “Ostorageq63fwkmmbi6uc”.
Step 22 : Click Delete > Here we will show that since “user1” is created with “Reader” role within the Resource Group “myrg” therefore, the user won’t be able to make any changes to the resources.
Step 23 : Type the resource name in the column given and click Delete.
Step 24 : Once you click Delete you will get an error message showing that you don’t have sufficient authorization to perform this task.