Often times clients do not understand how role base access control (RBAC) works in Azure. In this post we’ll go over RBAC

First list out all the azure role definitions in your subscription

$ az role definition list -o table

Best if you limit the role definitions to a specific resource group

$ az role assignment list --resource-group <name_of_resource_group>

If you need to define a new role you can does as follows, where the @ad-role.json is the definition of the role

$ az role definition create --role-definition @add-role.json 

Delete role you do not plan to use with the following

$ az role definition delete --name MyRole

You can also update a role. Done like a create

$ az role definition update --role-definition @update-role.json 

Have a look at what users you have

$ az ad user list --query "[].[userPrincipalName,userType]" -o table

Now lets have a look at what the client has used.

$ az role assignment list --all -o table

You may find that your clients are not using RBAC property. They be using named users in roles and not AD groups. A common reason for this is that AD groups are not easly created and may even require having a ticked put into a system and take days, weeks to be provisioned. That, or assigning users to these AD groups could also take days, weeks, or not be accurate. As a result cloud admin teams do not use the AD groups and move to named users.

Categories: Article