Lab 02: Solution - Portal Walkthrough

Only refer to this after attempting the tasks yourself!

---

Pre-Lab Setup

Creating Resource Groups

1. Go to Azure Portal → Search "Resource groups"
2. Click + Create
3. Configure:
   • Subscription: Select yours
   • Resource group: rg-project-dev
   • Region: East US
4. Click Review + create → Create
5. Repeat for rg-project-prod

Creating Storage Account

1. Go to Storage accounts → + Create

2. Configure:

   • Resource group: rg-project-dev
   • Storage account name: stprojectdev + random numbers (must be globally unique)
   • Region: East US
   • Performance: Standard
   • Redundancy: LRS

3. Click Review → Create

4. After creation, go to the storage account

5. Click Containers → + Container

6. Name: documents, Public access: Private

7. Click into the container → Upload → Select any file

Creating Key Vault

1. Go to Key vaults → + Create

2. Configure:

   • Resource group: rg-project-dev
   • Key vault name: kv-project-dev- + random numbers
   • Region: East US
   • Pricing tier: Standard

3. Click Next: Access configuration

4. Select Azure role-based access control (important!)

5. Click Review + create → Create

6. After creation, go to Key Vault → Secrets → + Generate/Import

7. Name: ApiKey, Value: test-secret-123

8. Click Create

---

Task 1: Understand Role Assignment Components

View Role Assignments

1. Go to your Subscription (search "Subscriptions")
2. Click your subscription name
3. Click Access control (IAM) in left menu
4. Click Role assignments tab

Here you'll see all assignments at this scope:

• Note the Role column (Owner, Contributor, etc.)
• Note the Scope column (some may show "Inherited")
• Note the Principal column (users, groups, service principals)

View Role Definition

1. Stay in IAM, click Roles tab
2. Search for "Contributor"
3. Click Contributor → Click Permissions tab

You'll see:

• Actions: * (everything)
• NotActions:
  • Microsoft.Authorization/*/Delete
  • Microsoft.Authorization/*/Write
  • Microsoft.Authorization/elevateAccess/Action

This means Contributor can do everything EXCEPT manage role assignments.

Compare Roles

Role	Key Permissions	Cannot Do
Reader	View all resources	Create, modify, delete anything
Contributor	Create, modify, delete resources	Manage role assignments
Owner	Everything	Nothing restricted

---

Task 2: Assign Built-in Roles at Resource Group Scope

Assign Reader Role

1. Go to Resource groups → rg-project-dev

2. Click Access control (IAM)

3. Click + Add → Add role assignment

4. Role tab:

   • Search for "Reader"
   • Select Reader
   • Click Next

5. Members tab:

   • Assign access to: User, group, or service principal
   • Click + Select members
   • Search for your test user (devuser)
   • Select and click Select
   • Click Next

6. Review + assign tab:

   • Review the assignment
   • Click Review + assign

Verify NO Access to Production

1. Go to rg-project-prod → Access control (IAM)
2. Click Check access
3. Search for your test user
4. Should show: NO access at this scope

---

Task 3: Data Plane vs Control Plane

Test as the User (or check permissions)

Checking what Reader CAN do:

1. With Reader on resource group:
   • ✅ View storage account in portal
   • ✅ View storage account properties
   • ❌ View storage account access keys (needs elevated permission)
   • ❌ Access blob data (data plane, different permission)

Assign Data Plane Role

1. Go to the Storage Account → Access control (IAM)
2. Click + Add → Add role assignment
3. Role: Search "Storage Blob Data Reader" → Select it
4. Members: Select your test user
5. Review + assign

Now the user can:

• ✅ View blobs in containers
• ✅ Download blobs
• ❌ Still cannot upload (needs Data Contributor)
• ❌ Still cannot view access keys (control plane)

---

Task 4: Assign Contributor Role

Add Contributor to Dev Resource Group

1. Go to rg-project-dev → IAM
2. + Add → Add role assignment
3. Role: Contributor
4. Members: Select developer user
5. Review + assign

Verify Cannot Assign Roles

1. Still in IAM for rg-project-dev
2. As the developer user (or check permissions):
   • Try to click + Add → Add role assignment
   • Will either not appear or give error
   • This is because Contributor has Microsoft.Authorization/*/Write in NotActions

---

Task 5: Key Vault Access Configuration

Verify RBAC Mode

1. Go to Key Vault → Settings → Access configuration
2. Ensure Azure role-based access control is selected
3. If it shows "Vault access policy", click Azure role-based access control and Save

Assign Key Vault Secrets User

1. Go to Key Vault → Access control (IAM)
2. + Add → Add role assignment
3. Role: Search "Key Vault Secrets User" → Select
4. Members: Select test user
5. Review + assign

Test Secret Access

1. Go to Key Vault → Secrets → Click ApiKey
2. Click Show Secret Value
3. User with Key Vault Secrets User role can view this

Understanding Key Vault Roles:

Role	Can Do
Key Vault Secrets User	Read secret values
Key Vault Secrets Officer	Create, update, delete secrets
Key Vault Reader	View Key Vault properties (NOT secret values)
Key Vault Contributor	Manage Key Vault settings (NOT secrets)

---

Task 6: Create a Custom Role

Create via Portal

1. Go to Subscription → Access control (IAM)

2. Click + Add → Add custom role

3. Basics tab:

   • Name: Virtual Machine Operator
   • Description: Can start, stop, and restart VMs. Cannot create or delete.
   • Baseline permissions: Start from scratch

4. Permissions tab: Click + Add permissions and search for each:

   • Search "Microsoft.Compute/virtualMachines/read" → Add
   • Search "Microsoft.Compute/virtualMachines/start" → Add the /action
   • Search "Microsoft.Compute/virtualMachines/restart" → Add the /action
   • Search "Microsoft.Compute/virtualMachines/powerOff" → Add the /action
   • Search "Microsoft.Compute/virtualMachines/deallocate" → Add the /action
   • Search "Microsoft.Network/*/read" → Add
   • Search "Microsoft.Resources/subscriptions/resourceGroups/read" → Add

5. Assignable scopes tab:

   • Should show your subscription
   • You can add/remove scopes here

6. Click Review + create → Create

Assign Custom Role

1. Go to rg-project-dev → IAM
2. + Add → Add role assignment
3. Your custom role should appear under "Job function roles" tab
4. Select Virtual Machine Operator
5. Assign to test user

---

Task 7: Deny Assignments

View Deny Assignments

1. Go to Subscription → IAM → Deny assignments tab
2. Usually empty unless you're using Azure Blueprints

Understanding Deny Priority

Evaluation Order:
1. Explicit Deny (deny assignment) → BLOCKED
2. Allow (role assignment) → ALLOWED
3. No assignment → DENIED (implicit deny)

Deny ALWAYS wins over Allow!

---

Task 9: Remove and Audit Role Assignments

View Activity Log

1. Go to Subscription → Activity log
2. Add filter: Operation → Search "role"
3. Select:
   • Create role assignment
   • Delete role assignment
4. View entries showing who made changes and when

Export Role Assignments

1. Go to Subscription → IAM → Role assignments
2. Click Download (top of the list)
3. This exports CSV with all assignments

Remove Assignments

1. For each test assignment:
   • Go to the appropriate scope (subscription/RG)
   • IAM → Role assignments
   • Find the assignment
   • Check the box next to it
   • Click Remove → Confirm

---

Common Mistakes to Avoid

1. Assigning at wrong scope - Always double-check you're in the right resource group/subscription
2. Forgetting data plane roles - Control plane ≠ Data plane access
3. Using Owner when Contributor works - Principle of least privilege
4. Not testing as the user - Always verify the assignment works as expected
5. Custom role typos - Action strings must be exact