IAM (Identity Access Manager)

• IAM tab is used to give permission to entities
• Roles can be assigned at one of the following layers
• Resource
• Resource group
• Subscription
• Management group

Role Assignments

• It's an authorization system built on top of ARM
• By default, the admin user has User Access Administrator inherited role to all resources
• Add role assignment to grant accesses to this resource

• Assign access to

• A user

• A group

• A service principal

• A role assignment to a VM does no imply access to all other related resources (NIC, NSG, Public IP, Disk, etc)

• Alternatively you can give access at the resource group where the VM lives. This way, all resources within the RG inherits the role.

Built-in roles

• https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

• Owner: unrestricted permissions, including managing accesses

• Contributor: unrestricted permissions, expect managing accesses
• Reader: view all resources, but no change permissions
• User Access Administrator: manage user access to Azure resources
• ...

Custom roles

• A role definition must be created

{
  "Name": "stagingrole",
  "Id": null,
  "IsCustom": true,
  "Description": "Allows for read access to Azure Virtual Machines and storage accounts",
  "Actions": ["Microsoft.Compute/*/read", "Microsoft.Storage/*/read"],
  "NotActions": [],
  "AssignableScopes": ["/subscriptions/20c6eec9-2d80-4700-b0f6-4fde579a8783"]
}

Options for accessing a resource

1. Access keys: authentication via a connection string. Least preferred option
2. AD RBAC: authenticate and authorize an Application Object against Azure AD with an access token. The Roles are defined under IAM tab