Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Delegate Azure role assignment management using conditions
By
Published Oct 25 2023 09:00 AM 10K Views
Microsoft

Were excited to share the public preview of delegating Azure role assignment management using conditions. This preview gives you the ability to enable others to assign Azure roles but add restrictions on the roles they can assign and who they can assign roles to.  

 

As the owner of an Azure subscription, you likely get requests from developers to grant them the ability to assign roles in your subscription. You could assign them the Owner or User Access Administrator role, but those roles grant permission to assign any Azure role (including Owner!), and that’s probably a lot more permission than necessary for that developer’s scenario. You could instead make role assignments for these developers on demand, but that makes you an unnecessary and impractical bottleneck in their workflow. 

 

Another common case we hear about is a deployment pipeline that needs to make role assignments as part of the deployment process, for example to grant a virtual machine managed identity access to Azure Storage and other resources. You don’t want to assign the deployment pipeline the Owner or User Access Administrator role because again, it’s a lot more permission than is needed for the scenario. 

 

We created this feature so you can grant permission to create role assignments, but only under specific conditions, such as for specific roles. You can do this in two ways: 

 

  • Make a role assignment that is constrained using conditions. 
  • Use a new built-in role that has built-in conditions. 

 

Let’s look at each scenario. 

 

How to delegate role assignment management using conditions

 

Meet Dara, a developer who needs to enable an Azure Kubernetes Service (AKS) managed identity to pull images from an Azure Container Registry (ACR). Now, you can assign Dara the Role Based Access Administrator role and add conditions so she can only assign the AcrPull and AcrPush roles and only to service principals. 

 

Figure 1: Delegate Azure role assignment management using conditions.Figure 1: Delegate Azure role assignment management using conditions.

 
 

Let’s look at how to do this step by step:

 

Step 1: When creating a new role assignment, on the Privileged administrator roles tab select the new Role Based Access Control Administrator role. You could also select any built-in or custom role that includes the Microsoft.Authorization/roleAssignments/write action.

 

Figure 2: Select roleFigure 2: Select role

 

 

Step 2: On the Members tab, select the user you want to delegate the role assignments task to.  

 

Figure 3: Select membersFigure 3: Select members

 

 

Step 3: On the Condition tab, click Add condition to add the condition to the role assignment.

 

Figure 4: Add condition to role assignmentFigure 4: Add condition to role assignment 

 

 

Step 4: On the Add role assignment condition page, specify how you want to constrain the role assignments this user can perform by selecting one of the templates. For example, if you only want to restrict the roles that a user can assign (ex. AcrPull and AcrPush) and the type of principals the user can assign roles to (ex. service principals), select the Constrain roles and principal types template.

 

 

Figure 5: Select role templateFigure 5: Select role template

 

 

Step 5: On the Constrain roles and principal types pane, add the roles you want the user to be able to assign and select to what principal types the user can assign roles to.

 

Figure 6: Select role and principal typeFigure 6: Select role and principal type 

 

    

Step 6: Save the condition and complete the role assignment.  JMQuade_7-1697746408908.png

 

Figure 7: Review role assignment with conditionsFigure 7: Review role assignment with conditions

 

 

How to delegate role assignment management using a new built-in role with built-in conditions

 

Now Dara wants to control who can sign into virtual machines using Microsoft Entra ID credentials. To do this, Dara needs to create role assignments for the Virtual Machine User Login or Virtual Machine Administrator Login roles. In the past, you had to grant Dara the Owner or User Access Administrator role so she could make these assignments. Now, you can grant Dara the new Virtual Machine Data Access Administrator role. Then, Dara will only be able to assign the roles needed to manage access to the virtual machine. 

 

Figure 8: Virtual Machine Data Access AdministratorFigure 8: Virtual Machine Data Access Administrator 

 

 

Similarly, you can assign Key Vault Data Access Administrator role to trusted users managing key vaults, enabling them to assign only Azure Key Vault-related roles.

 

To assign the new built-in roles with built-in conditions, start a new role assignment, select the Job function roles tab, and select a role with built-in conditions, such as Virtual Machine Data Access Administrator. Then complete the flow to add a new role assignment.

 

Figure 9 Select Key Vault or Virtual Machine Data Access AdministratorFigure 9 Select Key Vault or Virtual Machine Data Access Administrator

 

 

Roles with built-in conditions have Data Access Administrator as part of the role name. Also, you can check if a role definition contains a condition. In the Details column, click View, select the JSON tab, and then inspect the condition property. Over time we’ll add more roles with built-in conditions, for the most common scenarios, to make it easy to manage resources and manage access to those resources with simple role assignments. 

 

Figure 10: Key Vault Data Access Admin JSON view definitionFigure 10: Key Vault Data Access Admin JSON view definition

 

Next steps

 

We have several examples for you to get started and customize as needed. Delegating Azure role assignments with conditions is supported using the Azure portal, Azure Resource Manager REST API, PowerShell, and Azure CLI. Try it out and let us know your feedback in the comments or by using the Feedback button on the Access control (IAM) blade in the Azure portal!

 

Figure 11: Provide feedbackFigure 11: Provide feedback

 

 

Stuart Kwan 

Partner Manager, Product Management 

Microsoft Entra 

 

 

Learn more about Microsoft Entra: 

4 Comments
Co-Authors
Version history
Last update:
‎Oct 19 2023 01:28 PM
Updated by: