From d196a9daff92bea12fd7f6d4cb193c1ab375244c Mon Sep 17 00:00:00 2001 From: staleycyn <45440075+staleycyn@users.noreply.github.com> Date: Thu, 4 Jan 2024 06:39:46 -0800 Subject: [PATCH] Update LAB_02a_Manage_Subscriptions_and_RBAC_Entra.md --- ...02a_Manage_Subscriptions_and_RBAC_Entra.md | 39 ++++++++++--------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/New Instructions/Lab/LAB_02a_Manage_Subscriptions_and_RBAC_Entra.md b/New Instructions/Lab/LAB_02a_Manage_Subscriptions_and_RBAC_Entra.md index 2797cfd1..fdad33f9 100644 --- a/New Instructions/Lab/LAB_02a_Manage_Subscriptions_and_RBAC_Entra.md +++ b/New Instructions/Lab/LAB_02a_Manage_Subscriptions_and_RBAC_Entra.md @@ -43,8 +43,9 @@ There are some interactive lab simulations that you might find useful for this t + Task 1: Implement management groups. + Task 2: Review and assign a built-in Azure role. -+ Task 3: Create and assign a custom RBAC roles. -+ Task 4: Monitor role assignments with the Activity Log. ++ Task 3: Create and assign a custom RBAC roles. ++ Task 4: Assign and test the custom RBAC roles. ++ Task 5: Monitor role assignments with the Activity Log. ## Task 1: Implement Management Groups @@ -77,13 +78,13 @@ In this task, you will create and configure management groups. Management groups ## Task 2: Review and assign a built-in Azure role -In this task, you will assign the VM Contributor role to your user account. +In this task, you will review the built-in roles and assign the VM Contributor role to your user account. Azure provides a large number of [built-in roles](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles). 1. In the portal, search for and the **az104-mg1** management group. 1. Select the **Access control (IAM)** blade, and then the **Roles** tab. -1. Scroll through the role definitions that are available. **View** a role to get detailed information about the **Permissions**, **JSON**, and **Assignments**. +1. Scroll through the role definitions that are available. **View** a role to get detailed information about the **Permissions**, **JSON**, and **Assignments**. 1. Select **+ Add**, from the drop-down menu, select **Add role assignment**. @@ -114,7 +115,7 @@ In this task, you will create a custom RBAC role. Custom roles are a core part o 1. Select the **Check access** tab, then in the **Create a custom role** box, select **Add**. -1. On the Basics tab of Create a custom role, provide the name `Custom Support Request`. In the Description field, enter `A custom contributor role for support requests.` +1. On the Basics tab of **reate a custom role**, provide the name `Custom Support Request`. In the Description field, enter `A custom contributor role for support requests.` 1. In the Baseline permissions field, select **Clone a role**. In the Role to clone drop-down menu, select **Support Request Contributor**. @@ -126,6 +127,8 @@ In this task, you will create a custom RBAC role. Custom roles are a core part o 1. In the list of permissions, place a checkbox next to **Other: Registers Support Resource Provider** and then select **Add**. The role should be updated to include this permission as a *NotAction*. + >**Note:** An Azure resource provider is a set of REST operations that enable functionality for a specific Azure service. We do not want to help desk to be able to have this capability, so it is being removed rom the role. + 1. Select the **Assignable scopes** tab. Select the **Delete** icon on the row for the subscription. 1. Select **+ Add assignable scopes**. Select the **az104-mg1** management group, then click **Select**. @@ -136,7 +139,9 @@ In this task, you will create a custom RBAC role. Custom roles are a core part o >**Note:** At this point, you have created a custom role. Your next step is to assign the role to a Help Desk user. -### Identity the Help Desk user account you will use for testing the new role and assign the custom role. +Task 4: Assign and test the custom RBAC roles. + +In this task, you add the custom role to a test user and confirm their permissions. 1. In the Azure portal, search for and select **Microsoft Entra ID**, then select the **Users** blade. @@ -150,7 +155,7 @@ In this task, you will create a custom RBAC role. Custom roles are a core part o 1. On the **Role** tab, search for `Custom Support Request`. - >**Note**: if your custom role is not visible, it can take up to 10 minutes for the custom role to appear after creation. + >**Note**: if your custom role is not visible, it can take up to 5 minutes for the custom role to appear after creation. **Refresh** the page. 1. Select the **Role** and click **Next**. On the **Members** tab, click **+ Select members** and **select** user account **HelpDesk-user1**. @@ -160,13 +165,13 @@ In this task, you will create a custom RBAC role. Custom roles are a core part o ### Test the Help Desk user account to ensure it has the correct privileges -1. Open an **InPrivate** browser window and sign in to the Azure portal at `https://portal.azure.com` using the test user account. If prompted to update the password, change the password for the user. +1. Open an **InPrivate** browser window and navigate to the Azure portal at `https://portal.azure.com`. - >**Note**: Rather than typing the user name, you can paste the content of clipboard. +1. Provide the user principle name for Helpdesk-user1. When prompted to update the password, change the password for the user. -1. In the **InPrivate** browser window, in the Azure portal, search and select **Resource groups** to verify that the Help Desk user can see all resource groups. +1. In the **InPrivate** browser window, in the Azure portal, search and select **Resource groups** to verify that the Help Desk user can view resource groups. -1. In the **InPrivate** browser window, in the Azure portal, search and select **All resources** to verify that the Help Desk user cannot see any resources. +1. In the **InPrivate** browser window, in the Azure portal, search and select **All resources** to verify that the Help Desk user cannot see any individual resources. 1. In the **InPrivate** browser window, in the Azure portal, search and select **Help + support** and then click **+ Create a support request**. @@ -174,19 +179,17 @@ In this task, you will create a custom RBAC role. Custom roles are a core part o 1. In the **InPrivate** browser window, on the **Problem Description/Summary** tab of the **Help + support - New support request** blade, type **Service and subscription limits** in the Summary field and select the **Service and subscription limits (quotas)** issue type. Note that the subscription you are using in this lab is listed in the **Subscription** drop-down list. - >**Note**: The presence of the subscription you are using in this lab in the **Subscription** drop-down list indicates that the account you are using has the permissions required to create the subscription-specific support request. - - >**Note**: If you do not see the **Service and subscription limits (quotas)** option, sign out from the Azure portal and sign in back. + >**Note**: Since the role was assigned to the management group, all subscriptions should be available to the help deks. If you do not see the **Service and subscription limits (quotas)** option, sign out from the Azure portal and sign in back. 1. Take a few minutes to explore creating a **New support request**, but do not continue with creating the support request. Instead, sign out as the Help Desk user from the Azure portal and close the InPrivate browser window. -1. You have finished testing your custom role and reviewed how to create a support ticket. + >**Note:** You have now verified a help desk user has the correct permissions. At this point you would create a help desk group and add members. -## Task 4: Monitor role assignments with the Activity Log +## Task 5: Monitor role assignments with the Activity Log In this task, you view the activity log to determine if anyone has created a new role. -1. Return to the **az104-mg1** resource and select **Activity log**. +1. Return to the portal and in the **az104-mg1** resource select **Activity log**. 2. Select **Add filter**, select **Operation**, and then **Create role assignment**. @@ -209,9 +212,7 @@ Congratulations on completing the lab. Here are the main takeaways for this lab. If you are working with your own subscription take a minute to delete the lab resources. This will ensure resources are freed up and cost is minimized. The easiest way to delete the lab resources is to delete the lab resource group. + In the Azure portal, select the resource group, select **Delete the resource group**, **Enter resource group name**, and then click **Delete**. - + Using Azure PowerShell, `Remove-AzResourceGroup -Name resourceGroupName`. - + Using the CLI, `az group delete --name resourceGroupName`.