Often times clients do not understand how role base access control (RBAC) works in Azure. In this post we’ll go over RBAC
First list out all the azure role definitions in your subscription
$ az role definition list -o table
Best if you limit the role definitions to a specific resource group
$ az role assignment list --resource-group <name_of_resource_group>
If you need to define a new role you can does as follows, where the @ad-role.json is the definition of the role
$ az role definition create --role-definition @add-role.json
Delete role you do not plan to use with the following
$ az role definition delete --name MyRole
You can also update a role. Done like a create
$ az role definition update --role-definition @update-role.json
Have a look at what users you have
$ az ad user list --query "[].[userPrincipalName,userType]" -o table
Now lets have a look at what the client has used.
$ az role assignment list --all -o table
You may find that your clients are not using RBAC property. They be using named users in roles and not AD groups. A common reason for this is that AD groups are not easly created and may even require having a ticked put into a system and take days, weeks to be provisioned. That, or assigning users to these AD groups could also take days, weeks, or not be accurate. As a result cloud admin teams do not use the AD groups and move to named users.
