Configuring delegation of provisioning and management of Azure resources by using built-in Role-Based Access Control (RBAC) roles and built-in Azure policies
Step 1-Creating Azure AD users and groups:
- Login to Azure Portal http://portal.azure.com using a Microsoft account that has the Owner role in the Azure subscription you intend to use in this lab and is a Global Administrator of the Azure AD tenant associated with that subscription.
- In Azure Portal navigate to Azure Active Directory
- From the Azure Active Directory, navigate to the Custom domain names and identify the primary DNS domain name associated the Azure AD tenant or identify it as shown in the figure.
- From the Azure AD Custom domain names, navigate to the Users – All users.
- Select New User and enter the respective values and note don the password generated and click on Create.
- From the Users – All users, navigate to the Groups – All groups and click on create a new group.
- For group type select Security and enter the required values and click on Create.
Step 2-Creating Azure resource groups:
- In the Azure portal, navigate to the Resource groups and click on Add.
- Enter the required values and click on review and create. Once your navigation paused click on create.
- From the Resource groups blade, create the second resource group.
- After entering the required values click on review and create. Once your navigation paused click on create.
Step 3-Delegate management of an Azure resource group via a built-in RBAC role:
- In the resource group panel click on demoRG1 and navigate to Access Control (IAM) then click on Role Assignments.
- In the role assignment panel click on Add and select Add role assignment.
- Then add the required values and select the demogroup contribution and click on save.
Step 4-Assigning a built-in Azure policy to an Azure resource group:
- From the demoRG1 resource group select Policy Compliance and click on Assign Policy.
- Then enter the following details
- Scope: demoRG1
- Exclusions: leave the entry blank
- Policy definition: Allowed virtual machine SKUs
- Assignment name: Allowed virtual machine SKUs
- Description: Allowed selected virtual machine SKUs (Standard_DS1_v2)
- Assigned by: leave the entry set to its default value
- Allowed SKUs: Standard_DS1_v2
- Create a Managed Identity: leave the entry blank
Verify delegation by provisioning Azure resources as a delegated admin and auditing provisioning events:
Step 1-Identify an available DNS name for an Azure VM deployment:
- In Azure Portal, start a PowerShell session in the Cloud Shell.
- Run the following command with the required string.
Test-AzDnsAvailability -DomainNameLabel <custom-label> -Location ‘<location-of-az1000101-RG>’
- Verify that the command returned True.
Step 2-Attempt an automated deployment of a policy non-compliant Azure VM as a delegated admin:
- Open a new browser in private mode and login to your Azure account using Azure Portal.
- Note that you can only able to view demoRG1.
- Click on Create a resource and search for Template Deployment and navigate to Deploy a custom template.
- On the Custom deployment panel, in the Load a GitHub quickstart template drop-down list, select the 101-vm-simple-linux entry and navigate to the Edit template panel.
- On the Edit template blade, navigate to the Variables section and locate the vmSize entry. Note that the template is using Standard_A1 VM size.
- Discard any changes you might have made to the template and navigate to the Deploy a simple Ubuntu Linux VM.
- From the Deploy a simple Ubuntu Linux VM blade, initiate a template deployment with the following settings and click on purchase.
- Subscription: the same subscription you selected in the previous exercise
- Resource group: demoRG1
- Location: the name of the Azure region which you selected in the previous exercise
- Admin Username: For your choice
- Admin Password: For your choice
- Dns Label Prefix: the <custom-label> you identified in the previous task
- Ubuntu OS Version: accept the default value
- Location: accept the default value
- Note that the intiation of the deployment fails. Navigate to the Errors blade and note that the deployment of the resource is not allowed by the policy Allowed virtual machine SKUs.
Step 3-Perform an automated deployment of a policy compliant Azure VM as a delegated admin:
- From the Deploy a simple Ubuntu Linux VM panel, navigate to the Edit template.
- On that navigate to navigate to variables section and locate vmSize entry.
- Then replace the value Standard_A1 with Standard_DS1_v2 and save the change.
- Initiate the deployment again. Note that this time the validation will get success
Step 4-Review Azure Activity Log events corresponding to Azure VM deployments:
- Switch to the normal browser and login to Azure account using Azure Portal.
- Navigate to demoRG1 resource group.
- In that resource group panel display its Activity log.
- In the list of operations, note the ones corresponding to the failed and successful validation events.
- Refresh the view of the blade and observe events corresponding to the Azure VM provisioning, including the final one representing the successful deployment.