My Profile Photo

${Graham Beer} = blog


System Engineer, PowerShell Developer, WinOps and a huge automation fan!


Working with Azure Active Directory part 2

Following on from part 1, i’m going to delve into creating a custom RBAC (Role-based access control), then assigning this role to the group we created and finally adding our user to the group.

Before I start to create a custom role, lets see what is already available.
The cmdlet we will use is in the AzureRM.Resources module. Like the other modules we have used in part 1, you can find this module in the PowerShell Gallery. There are alot of cmdlets for Azure, but finding what you need helps with a bit of discovery. One of my favourite PowerShell cmdlets is Get-Command. Its Awesome ! This simple command puts me in the right direction, Get-Command -Verb get -Noun *AzureRM*Role* -Module AzureRM.Resources . The return was two cmdlets,

1
2
3
4
5
6
PS D:\> Get-Command -Verb get -Noun *AzureRM*Role*  -Module AzureRM.Resources

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Get-AzureRmRoleAssignment                          4.3.1      AzureRM.Resources
Cmdlet          Get-AzureRmRoleDefinition                          4.3.1      AzureRM.Resources

Looking at these I can see what i’m after is the definition. I’m close now to see how many roles are already predefined.
Running the command (Get-AzureRmRoleDefinition | select Name | measure).count tells me there are 62 predefined roles I could use ! Not bad !
But for the purpose of this post, I can’t see what I need. I want to create an automation role, where I can assign access to a Dev test and automation role in Azure.
One way to create a new role is by a JSON template. I found the best way to do this was to grab a current role and convert to a JSON template so I had something to work with. I did this by Get-AzureRmRoleDefinition -Name 'User Access Administrator' | ConvertTo-Json | clip . By piping to clip and can simply paste the output to my tool of choice to edit this file.
Lets look at the output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
 {
    "Name":  "User Access Administrator",
    "Id":  "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
    "IsCustom":  false,
    "Description":  "Lets you manage user access to Azure resources.",
    "Actions":  [
                    "*/read",
                    "Microsoft.Authorization/*",
                    "Microsoft.Support/*"
                ],
    "NotActions":  [

                   ],
    "AssignableScopes":  [
                             "/"
                         ]
}

What do I need to change? I need to create my own name and description, thats the easy part! Reading on the Microsoft site, I can remove the Id as a new Id will be generated for me. It also tells me I need to add my subscription to AssignableScopes. Lets find the subscription. I can do this by typing the following, $subscriptionId = (Get-AzureRmSubscription).SubscriptionId .
I also need to amend the boolean value in the field IsCustom to true. The final part is to add a list of Actions.
By using the Get-AzureRmRoleDefinition cmdlet earlier I found the roles I wanted to add to my custom role. They were ‘DevTest Labs User’ and ‘Automation Operator’. The Get-AzureRmRoleDefinition cmdlet has a property of Actions to view. This piece of code captures the two roles actions and stores them in a variable:

1
2
$CustomRole = '"' + (('DevTest Labs User', 'Automation Operator' | 
            . { process { Get-AzureRmRoleDefinition -Name $_ } }).Actions -join """,`r`n""") + '"'

Now I can create my own custom JSON file. This is how mine looked:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
@"
{
  "Name":  "Custom 1",
  "IsCustom":  true,
  "Description":  "Automation and Dev role",
  "Actions":  [
                  $CustomRole
              ],
  "NotActions":  [

                 ],
  "AssignableScopes":  [
                          '"' + @("/subscriptions/$subscriptionId") + '"'
                       ]
}
"@ | Out-File c:\temp\template.json

I pasted my JSON template in a here-string and made my changes. The AssignableScopes requires /subscriptions/ to be attached to the subscriptionId. At the end of the here-string notice I have piped the output to Out-File and named the extension *.json. Instead of pasting all the values captured in my $CustomRole variable, I just added the Variable which will be expanded when I run the here-string.
Now I have my custom role in a JSON template file.

To add my role to Azure I can point the following cmdlet to my json file, like so, New-AzureRmRoleDefinition -InputFile c:\temp\template.json

Great, I now have my newly created custom role in Azure !
The last part of the blog is to my assign the role to the group and put our user in the group.

The New-AzureRmRoleAssignment cmdlet requires the scope Id to be passed so when getting the Azure AD group I pipe to Get-AzureRmRoleAssignment which returns this and the ObjectID. I capture the output into a variable, then pipe the variable to New-AzureRmRoleAssignment and pass the custom role to the parameter RoleDefinitionName.

1
2
$RoleAssignment = Get-AzureADGroup -Filter "DisplayName eq 'Test Group'" | Get-AzureRmRoleAssignment # contains object ID and Scope
$RoleAssignment | New-AzureRmRoleAssignment -RoleDefinitionName 'Custom 1'

Lastly, lets move our user into the group with the assigned role. For this we just need to pass the ObjectId of both User and Group to the Add-AzureADGroupMember cmdlet. Done like so:

1
2
3
4
$UserId = (Get-AzureADUser -Filter "DisplayName eq 'Test User'").ObjectId
$GroupID = (Get-AzureADGroup -Filter "DisplayName eq 'Test'").ObjectId

Add-AzureADGroupMember -ObjectId $GroupID -RefObjectId $UserId

I hope you have found this and the previous article useful on how PowerShell can help with working in Azure Active Directory.