Assigning A Built-in Role To A User At Resource And Resource Group Scope Using ARM Template

This article is focused on creating an ARM template that will create a storage account resource in the resource group and will assign role at both RG (Resource Group) scope and created storage account resource level

This article is divided into following 5 sections, As it is described in the image shown below

  1. Fetch User Object ID
  2. Fetch Built-in Role ID
  3. Create ARM template to provision storage account
  4. Role assignment in ARM template
  5. Deploying ARM template to Azure Portal

Let’s start step by step as mentioned above, we will fetch the user object ID which will be used in deploying ARM template

  1. So firstly, let's fetch the user’s object id

    Use the PowerShell script to fetch user’s object id by its email id.

    Get-AzADUser | Where-Object { $_.UserPrincipalName -eq "testuser@testdomain.xyz.com" }

    This will show the user details like, DisplayName, Id, Mail, UserPrincipalName, Grab the Id and save it for further use

    You can also fetch the user object Id from Azure Portal, Navigate to Azure Active Director > Users > Select the user you want to fetch the Id of > Copy the Object Id
     
  2. Similarly, we will fetch the built-in role Id using PowerShell script, for this article I will fetch the “Reader” role id but you can fetch your required role id,

    Get-AzRoleDefinition -Name Reader

    This script will output few of the Role details, grab the Id from the output and save it for further use
     
  3. Now it’s time to create the ARM Template which will create the Storage account and assign user with Reader role to the created storage account also, we will assign user with Reader role to the Resource group using scope.

Follow the template mentioned below for creating storage account and role assignment.

Refer Microsoft documentation to know more on ARM Template syntax and details and to know more details on role assignment

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "AAD_Object_ID": {
            "metadata": {
                "description": "Object ID of the User, Group or Service Principal"
            },
            "type": "string"
        },
        "Role_Definition_ID": {
            "metadata": {
                "description": "Identifier (GUID) of the role definition to map to service principal"
            },
            "type": "string"
        }
    },
    "variables": {
        "Full Role_Definition_ID": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', parameters('Role_Definition_ID'))]",
        "StorageAccountName": "shrstrgacc",
        "StorageAccountAssignmentName": "[concat(variables('StorageAccountName'), '/Microsoft.Authorization/', guid(concat(resourceGroup().id), variables('Full Role_Definition_ID')))]"                                
    },
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2018-07-01",
            "name": "[variables('StorageAccountName')]",
            "comments": "Storage account used to store VM disks",
            "location": "[resourceGroup().location]",
            "sku": {
                "name": "Standard_LRS"
            },
            "kind": "Storage",
            "properties": {
                "roleDefinitionId": "[variables('Full Role_Definition_ID')]",
                "principalId": "[parameters('AAD_Object_ID')]"
            }
        },
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "apiVersion": "2017-09-01",
            "name": "[guid(concat(resourceGroup().id), resourceId('Microsoft.Storage/storageAccounts', 'shrstrgacc'), variables('Full Role_Definition_ID'))]",
            "dependsOn": [
                "[resourceId('Microsoft.Storage/storageAccounts', 'shrstrgacc')]"
            ],
            "properties": {
                "roleDefinitionId": "[variables('Full Role_Definition_ID')]",
                "principalId": "[parameters('AAD_Object_ID')]",
                "scope": "[resourceGroup().id]"
            }
        },
        {
            "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
            "apiVersion": "2017-05-01",
            "name": "[variables('StorageAccountAssignmentName')]",
            "dependsOn": [
                "[resourceId('Microsoft.Storage/storageAccounts', 'shrstrgacc')]"
            ],
            "properties": {
                "roleDefinitionId": "[variables('Full Role_Definition_ID')]",
                "principalId": "[parameters('AAD_Object_ID')]"
            }
        }
    ],
    "outputs": {}
}

As you can see from the above ARM template, we have given 2 input parameters which are, “AAD_Object_ID” & “Role_Definition_ID”, so to give a brief about what this input parameter will hold, AAD_Object_ID will be the User object Id fetched from Step 1 and Role_Definitation_ID will be the built in Reader Role ID fetched from Step 2

To further drill down to the ARM Template resources, we will be using

Type: Microsoft.Storage/storageAccounts to provision storage account with the mentioned properties in the ARM Template

Type: Microsoft.Authorization/roleAssignments to assign role at Resource group scope

Type: Microsoft.Storage/storageAccounts/providers/roleAssignments to assign role to the storage account resource

Also, save the above mentioned template code in a file with  .json extension for example armtest.json and copy the file path as we will need it while deploying it to Azure in the final step

Now it’s the time to deploy ARM Template to Azure Portal use the following script

Connect to Azure Account

Connect Az-Account

# Use PowerShell command New-AzResourceGroupDeployment, this command deploys azure resources to the Resource group

Refer, Microsoft documentation on deploying using New-AzResourceGroupDeployment

New-AzResourceGroupDeployment -ResourceGroupName <your-   resource-group-name>`

-TemplateFile <ARMTemplateFilePath > `

-AAD_Object_ID <user object Id> `

-Role_Definition_ID <Built in Reader role Id>

Note - Pass the copied path of the saved ARM Template file to the TemplateFile parameter in the script

Now it’s time to verify the outcome in the Azure Portal,

Wohoo, Storage is created in the Resource group mentioned in the New- AzResourceGroupDeployment

Fig 1.1: Storage Account created using ARM Template

Now, Let's check if the Reader role to the testuser is assigned to the Resource Group

Navigate to Azure Portal > Resource Group > Select the Resource group you added in the ARM deployment script > Access Control > Role Assignments

Woohoo, we can see the Reader role to the test user is assigned access to the Resource Group scope

Fig 1.2: Role Assignment to the Resource Group

It’s time to verify the role access at the storage account resource level,

Navigate to Azure Portal > Resource Group > Select the Resource group you added in the ARM deployment script > Select the created storage account > Access control > Role Assignments

Wohoo, at storage account level we can see the reader role is assigned to the test user and the same is inherited from the Resource Group.

Fig 1.3: Role assigned to created storage account using ARM Template

I hope this article seems useful for all the Azure enthusiasts on how they can assign RBAC to the users/groups/SPNs/Managed Identities using ARM Template.

Keep Learning!

Keep Sharing!