Introduction
As part of my journey to becoming an Azure Administrator, I recently completed Lab 02a - Manage Subscriptions and RBAC from the AZ-104 certification series. This lab focused on implementing Role-Based Access Control (RBAC) and Management Groups to streamline access management and subscription organization in Azure.
Below, I document my learnings, key takeaways, and insights from this lab.
Lab Overview
This lab provided hands-on experience in managing subscriptions and RBAC roles in Azure. The scenario focused on simplifying subscription management and implementing access controls efficiently.
Skills Practiced:
✅ Creating and configuring Management Groups
✅ Assigning built-in roles to users/groups
✅ Creating custom RBAC roles for fine-grained control
✅ Monitoring role assignments using the Activity Log
Step-by-Step Breakdown
Task 1: Implementing Management Groups
Management groups help in organizing and segmenting subscriptions logically. They allow RBAC and Azure Policies to be assigned and inherited across different groups.
Steps Taken:
1️⃣ Signed into the Azure Portal
2️⃣ Navigated to Management Groups
3️⃣ Created a new Management Group with the following settings:
-
Management Group ID:
az104-mg1 -
Management Group Display Name:
az104-mg14️⃣ Refreshed the page to confirm the group was created.
📌 Insight:
- The Root Management Group includes all subscriptions and management groups by default.
- RBAC and Policies applied at the root level cascade down to all child subscriptions.
- This feature is useful for managing permissions across large organizations.
Task 2: Reviewing and Assigning a Built-in Azure Role
Azure provides predefined roles to control access to resources.
Steps Taken:
1️⃣ Navigated to az104-mg1 Management Group
2️⃣ Opened Access Control (IAM) > Roles Tab
3️⃣ Reviewed Built-in Roles like:
- Owner (Full control over resources)
- Contributor (Manage resources but no access control)
- Reader (View-only access) 4️⃣ Assigned the "Virtual Machine Contributor" role to the Help Desk Group 5️⃣ Verified the role assignment in the Role Assignments tab
📌 Insight:
- Best practice: Assign roles to groups, not individual users for easier management.
- VM Contributor Role lets users create & manage VMs but not access storage/network settings.
- If a user already has the Owner Role, additional role assignments do not provide extra privileges.
Task 3: Creating a Custom RBAC Role
Built-in roles may have too many permissions, so custom roles provide granular access control based on the principle of least privilege.
Steps Taken:
1️⃣ Navigated to az104-mg1 Management Group
2️⃣ Opened Access Control (IAM) > Add Role Assignment > Custom Role
3️⃣ Configured a new role with these settings:
-
Custom Role Name:
Custom Support Request -
Description:
A custom role for support request management. -
Cloned Role:
Support Request Contributor4️⃣ Excluded the permission: - ❌ Registers Support Resource Provider 5️⃣ Assigned the role to az104-mg1 Management Group 6️⃣ Reviewed JSON Role Definition and created the role
📌 Insight:
- Custom roles allow precise access control by defining Actions, NotActions, and AssignableScopes.
- Excluding permissions ensures Help Desk users can create support tickets but not register providers.
- Role definitions are stored in JSON format for easy customization.
Task 4: Monitoring Role Assignments with the Activity Log
Activity Logs provide insights into role assignments and security changes.
Steps Taken:
1️⃣ Navigated to az104-mg1
2️⃣ Opened Activity Log
3️⃣ Filtered logs to review Role Assignment events
4️⃣ Verified that the new Custom Support Request role was assigned
📌 Insight:
- The Activity Log is useful for auditing role assignments and security events.
- You can filter logs by date, operation, or user to track role changes.
Key Learnings
1️⃣ Understanding Management Groups
- Used to logically group subscriptions for policy & access management.
- The Root Management Group applies global RBAC policies across all subscriptions.
2️⃣ Assigning RBAC Roles
- Built-in roles (Owner, Contributor, Reader, etc.) simplify role management.
- Best practice: Assign roles to groups, not individuals.
3️⃣ Creating Custom RBAC Roles
- Custom roles allow fine-tuned access control using JSON definitions.
- Helps implement least privilege access.
4️⃣ Monitoring Role Assignments
- Activity Log helps track security changes & role modifications.
📌 Additional Fact:
- Azure RBAC is for managing Azure resources, while Microsoft Entra ID roles are for managing the directory itself.
🔗 Pop Quiz: Validate Your Learning!
Test yourself with these Yes or No questions to reinforce your understanding of Azure RBAC and Subscription Management!
📝 Take the quiz here: 👉 Quiz Link
Conclusion
Completing this lab reinforced my understanding of RBAC and Subscription Management in Azure. Learning how to create and assign roles efficiently ensures that users only have necessary access, minimizing security risks. The ability to monitor changes using the Activity Log further enhances auditability and security in Azure environments.
🚀 Stay tuned for my next blog post on Lab 02b - Manage Governance via Azure Policy!
🔗 Follow my journey as I continue mastering Azure Administration! 🚀
Top comments (0)