AzureCon Challenge

Using Role Based Access Control (RBAC) in Azure

Overview
In this challenge you will see Role-Based Access Control (RBAC) at work. For this you will create a new user in your Azure subscription, you will assign roles to
that user, and you will see how the roles will affect the way the user can interact the services.

1. Login to Azure
For this challenge, you have either elected to use your own subscription or have created a new Azure
subscription using the provided Azure Pass (or Free Trial). If you want to switch to use the provided Azure Pass
the promotion code is displayed on the My Account page on the http://challenge.azurecon.com web site. If
there is no promo code displayed, you will need to use the free trial - http://azure.microsoft.com/pricing/freetrial.
Azure has TWO management portals - the classic portal (http://manage.windowsazure.com) and a new portal
that is in Preview at http://portal.azure.com. You will use both portals in this challenge.
1.

Open a browser and go to http://portal.azure.com (this is the preview portal)

2.

Enter your Microsoft Account email address and password for the Microsoft Account you
associated with your Azure Pass.

3.

Open a new tab in your browser and go to http://manage.windowsazure.com (this is the classic
portal)

4.

You will now be in your Azure subscription and from here you can create and manage Azure services.

First part of the challenge will be done in the Azure Classic Portal.

2. Create a new user in your Azure AD default subscription directory

In this task you are going to create a new user in your Azure subscription.
1.

In the Azure Classic Portal on the main menu, choose Active Directory

2.

On the Active Directory pane press the arrow next to the Default Directory.

3.

On the default directory pane press the Users link which will take you to the list of users currently part of your subscription. At the moment,
this should contain only your current user. Press the Add User link placed at the bottom of the page.

Page | 1

4.

As a type of user select, New user in your organization.

5.

For the User Name we suggest you use a unique user name. Press the right arrow to go to next blade.

6.

On the User Profile blade, add the following information and press the right arrow to go to next blade:

First Name: Azure

Last Name: Rbac

Display Name: Azure Rbac

Role: User

Enable Multi-Factor Authentication: Unchecked

7.

On the Get temporary password press create, which will create the new user. Please write down the full username, which will be something like
aztrainpass86432rbac@aztrainpass86432outlook.onmicrosoft.com and the generated password. Without those you wont be able to finish this
challenge.

8.

Open a new In-private window in your browser, and go to the Azure Preview Portal (https://portal.azure.com). You need to open an In-private
window in order to be able to log in as a different user to Azure (you may need to close and launch the browser again or launch an alternate
browser).

9.

Fill in your user name and password from step 7, and change the password to P@ssWord1.

10.

You will be able to browse the portal, but you wont be able to see, or add anything.

3. Create a Web App with a SQL Database in a new Resource Group

In this task we are going to a Web app With a SQL Database in a new Resource Group called RBACrg3. For this task we are going to use an ARM Template
which we are going to copy the from the Azure Quickstart Templates gallery on GitHub.
1.

Using the browser instance that you are logged into your Azure account with, navigate to the Azure Preview Portal at http://portal.azure.com and
press the +New button

2.

Then from the list of services choose Marketplace:

3.

In the search box type Template Deployment

4.

Press the Create button and then choose Edit Template. Your screen should look something like this:

Page | 2

5.

In the Edit template blade, select all the code and remove it.

6.

In a new browser window go to this link: https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-

web-app-sql-database/azuredeploy.json copy the whole code from there and Paste it in the Edit template window.
7.

Examine the code you have just pasted. You parameters for the App Service Plan, and the Web App, a SQL Database Server and for a SQL
Database database. There are as well, configuration sections for the connection string used by the Web App.

8.

Save the template and go to the Edit parameters blade.

9.

For the Site Name you need to use a unique name. Note: the template editor will not notify you if the value is not unique. Append a few numbers
to the end of the name to ensure it is unqiue.

10.

For the Hosting Plan Name we suggest you use rbacap1.

11. For the Site Location use any one of these 4 values: West US, South Central US, Central US and East US, and then press OK. Please
note that the name of the zones is case sensitive.
12.

Specify a unique name for the server name. Note: the template editor will not notify you if the value is not unique. Append a few numbers to the
end of the name to ensure it is unqiue.

13.

For the Server Location use the same location as you used for Site Location.

14.

For Administrator Login use: azureadmin

15.

For Administrator Password use: Pass@Word1

16.

For the Database Name we suggest you use rbacdb1.

17.

On the Resource Group blade press the Or create new link, and choose Rbacrg1 as the name of you Resource Group.

18.

On the resource group location use the same location you used for the Site Location.

19.

Accept the default values for all other parameters.

20. On the legal terms press Buy, to indicate that you agree with the Legal Terms (there is no purchase involved, but some resources cost money, so
that is why Microsoft chose this word).
21.

Make sure that Pin to Startboard is selected, and the press the Create button.

22. After a while (usually less than 2 minutes), depending on the load on Azure at the time, your deployment is created and a blade with your resource
group will be open.
23. You dont have to wait for the deployment to finish, you can just move to the next task.

Page | 3

4. Create another Web App with a SQL Database in a new Resource Group
In this task we are going to create again the services from the previous task
1.

Repeat all the steps from the previous task using the following value for the parameters:
a.
Site Name: rbacwa2
b. Hosting Plan Name: rbacap2
c.
Site Location: use any one of these 4 values: West US, South Central US, Central US and East US. Please note that the
name of the zones is case sensitive.
d. Specify a unique name for the server name. Note: the template editor will not notify you if the value is not unique. Append a few
numbers to the end of the name to ensure it is unqiue.
e.
Server Location: use the same location as you used for Site Location
f.
Administrator Login: azureadmin
g. Administrator Password: Pass@Word1
h. Database Name: rbacdb2
i.
Resource Group: Rbacrg2

5. Give the new user different permissions to the newly created resource groups
In this task you will grant permissions to the user you created in step 2, to access the resource groups created in step 3.
1.

In your first browser window (not the In-private one) go to the Azure Preview Portal tab (https://azure.portal.com).

2.

On the left hand side choose Browse and then choose Resource Groups or Resource Groups if you can see it on your Favorite list.

3.

Select the Rbacrg1 Resource Group, and then press on the access Icon the right hand side.

4.

On the Users blade press Add and then choose Contributor from the Select a role list.

Page | 4

5.

On the Add users list select the user created in Task 1 (Azure Rbac), and then press Select and OK on the Add access blade.

6.

Repeat the steps 1-5 for the Rbacrg2 Resource Group, but instead of adding the user to the Contributor role, add it to the Reader role.

6. Compare the effect of the two permissions

In this task you will see the effect of the permissions you have just created.
1.

Switch back to the In-Private window. If you closed that down, open a new In-private window go to https://portal.azure.com and login using the
user name and password you created in task 2.

2.

In the portal press the New button on the top left corner, then choose Compute, and then Windows Server 2012 R2 Datacenter.

3.
4.

On the Windows Server 2012 R2 Datacenter blade, select the Resource Manager Deployment model, and press Create.
On the Basics blade fill in the following values for the Parameters and the press OK:

5.
6.
7.

Name

VMRbac1

User Name

azureadmin

Password

P@ssWord1

Resource Group

Choose the existing Rbacrg1

Location

Choose a location close to your current region

On the Size blade choose D1 as size for your VM and then press Select.
On the Settings blade accept the default values and press Ok
On the Summary blade press Ok.

Because the user is a Contributor for the Rbacrg1 resource group the deployment will succeed and in about 2 minutes you will have one more VM in the
resource group.
8.

Page | 5

Repeat Steps 2-7 but use the following parameters instead:

Name

VMRbac2

User Name

azureadmin

Password

P@ssWord1

Resource Group

Choose the existing Rbacrg2

Location

Choose a location close to your current region

Because the user is a Reader for the Rbacrg2 resource group the deployment will fail and you will be informed that you dont have the permissions to
do it.
RBAC is a very powerful feature of Azure because it gives you control over who can access your resources on the cloud.
--- END OF LAB --Go back to the AzureCon Challenge web site (http://challenge.azurecon.com) and complete the challenge question to get your points.
REMEMBER: You only have one chance at the question, make sure you really know the answer!

Page | 6