Interpret access assignments – Manage Azure identities and governance – AZ-104 Study Guide

Interpret access assignments

To manage access (role) assignments, you can use the Azure portal, the Azure CLI, Azure PowerShell, Azure SDKs, or the Resource Manager REST APIs. The following section describes how to manage role assignments using the Azure portal.

In the Azure portal, the Access Control (IAM) blade is used to manage access to resources, and it is where role assignments are applied or removed. The Access Control (IAM) blade is available at any scope where role assignments can be made (management group, subscription, resource group, and resource). To find the Access Control (IAM) blade, navigate to the resource or service where you want to manage role assignments.

In the following example, the Virtual Machine Contributor built-in role will be assigned to a user at the resource group scope.

In the Azure portal, navigate to a resource group by selecting Resource Groups on the left, selecting a resource group, and then selecting the Access Control (IAM) blade.

From the Access Control (IAM) blade, you can

  • Check the effective access rights for a security principal at the current scope through the Check Access tab, where you can also view access rights inherited from a parent scope
    • Edit role assignments, both granting and revoking access rights through the Role Assignments tab
    • View deny assignments, which are controlled by Microsoft, through the Deny Assignments tab
    • View and manage permissions to classic resources through the Classic Administrators tab
    • View the available roles, both built-in and custom, through the Roles tab

IMPORTANT DENY ASSIGNMENTS IN THE IAM BLADES

The Deny Assignments tab of the Access Control (IAM) blade cannot be used to make or alter deny assignments. Deny assignments are set and controlled by applying a resource lock for resources or by using Deployment Stacks. For more information on Deployment Stacks, visit https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks.

To create a role assignment, navigate to the Role Assignments tab and click Add, as shown in Figure 1-25.

FIGURE 1-25 Role Assignments tab on the Access Control (IAM) blade

After clicking Add, select Add Role Assignment, as shown in Figure 1-26.

FIGURE 1-26 Add role assignment

On the Add Role Assignment blade, there are three tabs: Role, Members, and Review + Assign. The Role tab lists roles as job function roles or privileged administrator roles. Select the role from the Role tab that you plan to assign, then on the Members tab, select the user, group, security principal, or managed identity you want to assign the role to. Click Review +

Assign when you are done. Figure 1-27 shows an example where the user, DemoUser@hugelab. net, is being granted access to the Virtual Machine Contributor role. In the example directory, two security principals were returned from the filtered list using the search term “User”—(VM User and Demo User). A single principal (Demo User) was selected (displayed under Selected Members) to apply to the Virtual Machine Contributor role assignment.

FIGURE 1-27 Select members

After clicking Review + Assign, you will see the role assignment on the Role Assignments tab. To remove a role assignment, select one or more security principals and click Remove. An example is shown in Figure 1-28.

FIGURE 1-28 Remove a role assignment