The next step is to assign this custom role for a user on a different level. We are going to assign access on the resource group level with an account that has owner permissions on the resource group level:
- Navigate to the Azure portal by opening a web browser and going to https://portal.azure.com.
- Select Resource groups on the left, which will show all the current resource groups:
Figure 2.14 – Selecting Resource groups from the main Azure menu
- Select one of your resource groups; if you do not have one yet, you need to create one in any region you want and call it Az-104. In this scenario, I will use one of my resource groups, also called Az-104:
Figure 2.15 – Selecting a resource group
- Next, go to the Access control (IAM) section, click on Add, and select Add role assignment:
Figure 2.16 – The Access control (IAM) blade for the selected resource group
- A new blade opens up; under Role, search for the custom role we created called IT support – Restart VMs only. Under Assign access to, leave it as User, group, or service principal and select PacktUser1, which we created in Chapter 1,Managing Azure Active Directory Objects and click on Save:
Figure 2.17 – The role assignment blade for the resource group
That’s it – we have now successfully created and assigned a custom RBAC role to a user named PacketUser1. The final step is to validate the role assignment.
Confirming the role assignment steps
Now that we have assigned a role to a user, let’s go ahead and confirm that it’s working as expected:
- Navigate to the Azure portal by opening a web browser and browsing to https://portal.azure.com (you will need to sign in as the user that you assigned your custom role).
- Select All resources on the left, which will show all the current resource groups:
Figure 2.18 – Selecting All resources from the main Azure menu
- You will be able to see all the VMs listed that are part of the specified resource group:
Figure 2.19 – Displaying all resources for the resource group
- Select a started VM that is available – in my case, this will be prod-vm1 – and see if you can stop the VM:
Figure 2.20 – Stopping the VM
- A pop-up error message will display Failed to stop virtual machine, and that is how we can confirm our custom RBAC role, which denies a user stopping a VM that is working as expected and that only restarting the VM is allowed:
Figure 2.21 – An error message stating the user does not have permissions to stop the virtual machine
In this section, we looked at how to assign a custom RBAC role via the Azure portal and confirmed that the custom role is applied and working as expected.
We encourage you to read further by using the following link, which goes into more detail about assigning roles in Azure: https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current.