First published on MSDN on May 30, 2017
In some situations you need to identify your Azure Subscription GUID or Subscription ID
1. Go to http://portal.azure.com
2. Scroll all the way down the left navigation blade to subscriptions
3 Click on Subscriptions
Your subscriptions will be listed and the Subscription ID clearly shown again the Role Based Access control which you have been granted to the subscription will be shown and the status of the subscription.
4 Copy you GUID of the Subscription ID you require these are in the following format
20543c7f-f4e4-2713-50f2060cd9f0e04b
A few weeks ago https://blogs.msdn.microsoft.com/uk_faculty_connection/2017/03/13/setting-up-azure-at-your-institution/ I shared how institutions could setup user accounts across an institution using RBAC.
Subscriptions & Resource Groups are one of the most important aspects when looking at how to deliver/provide cloud resources to your staff/students
As I discussed in the blog there are two best practice principles around providing Azure at your institution.
1. Create new major subscriptions to hold resource groups, according to broad categories
2. Use Role Based Access Control
Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can grant only the amount of access that users need to perform their jobs.
This article helps you get up and running with RBAC in the Azure portal.
If you want more details about how RBAC helps you manage access, see What is Role-Based Access Control .
Within each subscription, you can grant up to 2000 role assignments.
View access
You can see who has access to a resource, resource group, or subscription from its main blade in the Azure portal . For example, we want to see who has access to one of our resource groups:
Notice that some users were Assigned access while others Inherited it. Access is either assigned specifically to the resource group or inherited from an assignment to the parent subscription.
Note
Classic subscription admins and co-admins are considered owners of the subscription in the new RBAC model.
Add Access
You grant access from within the resource, resource group, or subscription that is the scope of the role assignment.
After successfully adding a role assignment, it will appear on the Users blade.
Remove Access
Inherited assignments cannot be removed. If you need to remove an inherited assignment, you need to do it at the scope where the role assignment was created. In the Scope column, next to Inherited there is a link that takes you to the resources where this role was assigned. Go to the resource listed there to remove the role assignment.
Other tools to manage access
You can assign roles and manage access with Azure RBAC commands in tools other than the Azure portal. Follow the links to learn more about the prerequisites and get started with the Azure RBAC commands. +
Next Steps
Getting your Azure GUID (subscription ID)
In some situations you need to identify your Azure Subscription GUID or Subscription ID
1. Go to http://portal.azure.com
2. Scroll all the way down the left navigation blade to subscriptions
3 Click on Subscriptions
Your subscriptions will be listed and the Subscription ID clearly shown again the Role Based Access control which you have been granted to the subscription will be shown and the status of the subscription.
4 Copy you GUID of the Subscription ID you require these are in the following format
20543c7f-f4e4-2713-50f2060cd9f0e04b
Assigning Azure Role Based Access Control
A few weeks ago https://blogs.msdn.microsoft.com/uk_faculty_connection/2017/03/13/setting-up-azure-at-your-institution/ I shared how institutions could setup user accounts across an institution using RBAC.
Subscriptions & Resource Groups are one of the most important aspects when looking at how to deliver/provide cloud resources to your staff/students
As I discussed in the blog there are two best practice principles around providing Azure at your institution.
1. Create new major subscriptions to hold resource groups, according to broad categories
- Central IT
- Unit IT
- Research Groups
- Students and Student Project/Courses
2. Use Role Based Access Control
- Create new resource groups for newly on-boarded teams, instead of new subscriptions
- Resource groups allow you to implement role based access control so students can be contributors to services but not owners and IT staff can have overall control
- We have created a set of Role Based Access Control scripts at https://github.com/MSFTImagine/computerscience
Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can grant only the amount of access that users need to perform their jobs.
This article helps you get up and running with RBAC in the Azure portal.
If you want more details about how RBAC helps you manage access, see What is Role-Based Access Control .
Within each subscription, you can grant up to 2000 role assignments.
View access
You can see who has access to a resource, resource group, or subscription from its main blade in the Azure portal . For example, we want to see who has access to one of our resource groups:
-
Select
Resource groups
in the navigation bar/blade on the left at
http://portal.azure.com
- Select the name of the resource group from the Resource groups blade.
- Select Access control (IAM) from the left menu.
-
The Access control blade lists all users, groups, and applications that have been granted access to the resource group.
+
Notice that some users were Assigned access while others Inherited it. Access is either assigned specifically to the resource group or inherited from an assignment to the parent subscription.
Note
Classic subscription admins and co-admins are considered owners of the subscription in the new RBAC model.
Add Access
You grant access from within the resource, resource group, or subscription that is the scope of the role assignment.
- Select Add on the Access control blade.
- Select the role that you wish to assign from the Select a role blade.
-
Select the user, group, or application in your directory that you wish to grant access to. You can search the directory with display names, email addresses, and object identifiers.
- Select OK to create the assignment. The Adding user popup tracks the progress.
After successfully adding a role assignment, it will appear on the Users blade.
Remove Access
- Use the check boxes on the Access control blade to select one or more role assignments.
- Select Remove .
- A box will pop up asking you to confirm the action. Select Yes to remove the role assignments.
Inherited assignments cannot be removed. If you need to remove an inherited assignment, you need to do it at the scope where the role assignment was created. In the Scope column, next to Inherited there is a link that takes you to the resources where this role was assigned. Go to the resource listed there to remove the role assignment.
Other tools to manage access
You can assign roles and manage access with Azure RBAC commands in tools other than the Azure portal. Follow the links to learn more about the prerequisites and get started with the Azure RBAC commands. +
- Azure PowerShell
- Azure Command-Line Interface
- REST API +
- set of RBAC scripts at http://github.com/MSFTImagine/computerscience
Next Steps
- Create an access change history report
- See the RBAC built-in roles
- Define your own Custom roles in Azure RBAC
- Learn more about scripts for RBAC at http://github.com/MSFTImagine/computerscience
Updated Mar 21, 2019
Version 2.0Lee_Stott
Microsoft
Joined September 25, 2018
Educator Developer Blog
Follow this blog board to get notified when there's new activity