Manikanta's Blog

User And Groups creations in multiple ways & Role-Based Access Control labs

Manikanta's photo
Manikanta
·

9 min read

  • Exercise 1: Create the Senior Admins group with the user account Member1 as its member (the Azure portal).

  • Exercise 2: Create the Junior Admins group with the user account Member2 as its member (PowerShell).

  • Exercise 3: Create the Service Desk group with the user Member3 as its member (Azure CLI).

  • Exercise 4: Assign the Virtual Machine Contributor role to the Service Desk group.

Exercise 1: Create the Senior Admins group with the user account Member1 as its member.

In this exercise, you will complete the following tasks:

  • Task 1: Use the Azure portal to create a user account for Member1.

  • Task 2: Use the Azure portal to create a Senior Admins group and add the user account of Member1 to the group.

Task 1: Use the Azure portal to create a user account for Member 1

  1. In the Search resources, services, and docs text box at the top of the Azure portal page, type Azure Active Directory and press the Enter key.

  2. On the Overview blade of the Azure Active Directory tenant, in the Manage section, select Users, and then select + New user.

  3. On the New User blade, ensure that the Create user option is selected, and specify the following settings:

  4. Username : Member1 & Name : Member1

  5. Ensure that the Auto-generate password is selected, and select the Show password checkbox to identify the automatically generated password. You would need to provide this password and the user name to Member1.

  6. Click Create.

  7. Refresh the Users | All users blade to verify the new user was created in your Azure AD tenant.

Task 2: Use the Azure portal to create a Senior Admins group and add the user account of Joseph Price to the group.

In this task, you will create the Senior Admins group, add the user account of Member1 to the group, and configure it as the group owner.

  1. In the Azure portal, navigate back to the blade displaying your Azure Active Directory tenant.

  2. In the Manage section, click Groups, and then select + New group.

  3. On the New Group blade, specify the following settings (leave others with their default values):

  4. Group type: Security**, Group name:** Senior Admins, Membership type: Assigned

  5. Click the No owners selected link, on the Add owners blade, select Member1, and click Select.

  6. Click the No members selected link, on the Add members blade, select Member1, and click Select.

  7. Back on the New Group blade, Once verify all the fields, click Create.

  8. Result: You used the Azure Portal to create a user and a group, and assigned the user to the group.

Exercise 2: Create a Junior Admins group containing the user account of Member2 as its member.

In this exercise, you will complete the following tasks:

  • Task 1: Use PowerShell to create a user account for Member2.

  • Task 2: Use PowerShell to create the Junior Admins group and add the user account of Member2 to the group.

Task 1: Use PowerShell to create a user account for Member2.

  1. $domainName = ((Get-AzureAdTenantDetail).VerifiedDomains)[0].NameOpen the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, select PowerShell and Create storage. In my scenario, I have already created a storage account so it will not show again to create storage.

  2. In the PowerShell session within the Cloud Shell pane, run the following to create a password profile object:

    $passwordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile

  3. In the PowerShell session within the Cloud Shell pane, run the following to set the value of the password within the profile object:

    $passwordProfile.Password = "Pa55w.rd1234"

  4. In the PowerShell session within the Cloud Shell pane, run the following to connect to Azure Active Directory:

    Connect-AzureAD

  5. In the PowerShell session within the Cloud Shell pane, run the following to identify the name of your Azure AD tenant:

    $domainName = ((Get-AzureAdTenantDetail).VerifiedDomains)[0].Name

  6. In the PowerShell session within the Cloud Shell pane, run the following to create a user account for Member1:

    New-AzureADUser -DisplayName 'Member2' -PasswordProfile $passwordProfile -UserPrincipalName "Member2@$domainName" -AccountEnabled $true -MailNickName 'Member2'

  7. In the PowerShell session within the Cloud Shell pane, run the following to list Azure AD users (the accounts of Member1 and Member2 should appear on the listed):

    Get-AzureADUser

Task 2: Use PowerShell to create the Junior Admins group and add the user account of Isabel Garcia to the group.

In this task, you will create the Junior Admins group and add the user account of Isabel Garcia to the group by using PowerShell.

  1. In the same PowerShell session within the Cloud Shell pane, run the following to create a new security group named Junior Admins:

    New-AzureADGroup -DisplayName 'Junior Admins' -MailEnabled $false -SecurityEnabled $true -MailNickName JuniorAdmins

  2. In the PowerShell session within the Cloud Shell pane, run the following to list the groups in your Azure AD tenant (the list should include the Senior Admins and Junior Admins groups):

    Get-AzureADGroup

  3. In the PowerShell session within the Cloud Shell pane, run the following to obtain a reference to the user account of Member2:

    $user = Get-AzureADUser -Filter "MailNickName eq 'Member2'"

  4. In the PowerShell session within the Cloud Shell pane, run the following to add the user account of Member2 to the Junior Admins group:

    Add-AzADGroupMember -MemberUserPrincipalName $user.userPrincipalName -TargetGroupDisplayName "Junior Admins"

  5. In the PowerShell session within the Cloud Shell pane, run the following to verify that the Junior Admins group contains the user account of Member2:

    Get-AzADGroupMember -GroupDisplayName "Junior Admins"

  6. Result: You used PowerShell to create a user and a group account, and added the user account to the group account.

Exercise 3: Create a Service Desk group containing the user account of Member3 as its member.

In this exercise, you will complete the following tasks:

  • Task 1: Use Azure CLI to create a user account for Member3.

  • Task 2: Use Azure CLI to create the Service Desk group and add a user account of Member3 to the group.

Task 1: Use Azure CLI to create a user account for Member3.

In this task, you will create a user account for Member3.

  1. In the cloud shell make sure to change the bash from the drop-down option.

  2. In the Bash session within the Cloud Shell pane, run the following to identify the name of your Azure AD tenant:

    DOMAINNAME=$(az ad signed-in-user show --query 'userPrincipalName' | cut -d '@' -f 2 | sed 's/"//')

  3. In the Bash session within the Cloud Shell pane, run the following to create a user, Member3. Use your domain.

    az ad user create --display-name "Member3" --password "Pa55w.rd1234" --user-principal-name Member3@manikantasoutlook.onmicrosoft.com

  4. In the Bash session within the Cloud Shell pane, run the following to list Azure AD user accounts (the list should include user accounts of Member1, Member2, and Member3)

    az ad user list --output table

Task 2: Use Azure CLI to create the Service Desk group and add a user account of Member3 to the group.

In this task, you will create the Service Desk group and assign Dylan to the group.

  1. In the same Bash session within the Cloud Shell pane, run the following to create a new security group named Service Desk.

    az ad group create --display-name "Service Desk" --mail-nickname "ServiceDesk"

  2. In the Bash session within the Cloud Shell pane, run the following to list the Azure AD groups (the list should include Service Desk, Senior Admins, and Junior Admins groups):

    az ad group list -o table

  3. In the Bash session within the Cloud Shell pane, run the following to obtain a reference to the user account of Member3:

    USER=$(az ad user list --filter "displayname eq 'Member3'")

  4. In the Bash session within the Cloud Shell pane, run the following to obtain the objectId property of the user account of Member3:

    OBJECTID=$(echo $USER | jq '.[].id' | tr -d '"')

  5. In the Bash session within the Cloud Shell pane, run the following to add the user account of Member3 to the Service Desk group:

    az ad group member add --group "Service Desk" --member-id $OBJECTID

  6. In the Bash session within the Cloud Shell pane, run the following to list members of the Service Desk group and verify that it includes the user account of Member3:

    az ad group member list --group "Service Desk"

  7. Result: Using Azure CLI you created a user and a group account, and added the user account to the group.

    Exercise 4: Assign the Virtual Machine Contributor role to the Service Desk group.

    In this exercise, you will complete the following tasks:

    • Task 1: Create a resource group.

    • Task 2: Assign the Service Desk Virtual Machine Contributor permissions to the resource group.

Task 1: Create a resource group

  1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Resource groups and press the Enter key.

  2. On the Resource groups blade, click + Create and specify the following settings:

  3. Subscription name: the name of your Azure subscription, Resource group name: Test-TG, Location: East-US

    Click Review + create and then Create.

  4. Back on the Resource groups blade, refresh the page, and verify your new resource group appears in the list of resource groups.

Task 2: Assign the Service Desk Virtual Machine Contributor permissions.

  1. On the Resource groups blade, click the Test-RG resource group entry.

  2. On the Test-RG blade, click Access control (IAM) in the middle pane.

  3. On the Test-RG | Access control (IAM) blade, click + Add and then, in the drop-down menu, click Add role assignment.

  4. On the Add role assignment blade, specify the following settings and click Next after each step:

  5. Setting

    Value

    Role in the search tab

    Virtual Machine Contributor

    Assign access to (Under Members Pane)

    User, group, or service principal

    Select (+Select Members)

    Service Desk

  6. click on Review+Assign

  7. We can check the status in Notifications.

  1. From the Access control (IAM) blade, select Role assignments and verify Service Desk Group has a Virtual Machine contributor role assigned

  2. On the Test-RG | Access control (IAM) blade, on the Check access tab, in the Search by name or email address text box, type Member3.

    In the list of search results, select the user account of Member3 and, on the Member3 assignments - Test-RG, view the newly created assignment.

  3. Close the Member3 assignments - Test-RG blade.

  4. Result: You have assigned and checked RBAC permissions.

    Clean up resources

    In the PowerShell session within the Cloud Shell pane, run the following to remove the resource group you created in this lab:

    Remove-AzResourceGroup -Name "Test-RG" -Force -AsJob

Azure