Lab: Implementing Azure Identity and Access Control (RBAC)
Describe Azure identity, access, and security
Lab: Implementing Azure Identity and Access Control (RBAC)
In this lab, you will explore the fundamentals of Microsoft Entra ID (formerly Azure Active Directory) and Role-Based Access Control (RBAC). You will create a new user, assign them a specific role to a resource group, and verify the principles of "Least Privilege."
[!WARNING] Remember to run the teardown commands at the end of this lab to avoid ongoing charges and to maintain a clean directory environment.
Prerequisites
- An active Azure Subscription (Free trial or Pay-As-You-Go).
- User Access Administrator or Owner role at the subscription level to assign RBAC roles.
- Azure CLI installed locally or access to the Azure Cloud Shell (https://shell.azure.com).
- Basic familiarity with the Azure Portal.
Learning Objectives
- Create a new user in Microsoft Entra ID.
- Create a Resource Group to act as a security boundary.
- Assign the Reader role using RBAC to a specific resource.
- Understand the Defense in Depth layers through identity management.
Architecture Overview
This lab demonstrates how identity acts as the primary security perimeter in a cloud-native environment.
Step-by-Step Instructions
Step 1: Create a Resource Group
First, we need a container for our resources. This serves as the scope for our RBAC assignment.
CLI Command:
az group create --name brainybee-lab-identity-rg --location eastus▶Console alternative
- Search for Resource groups in the top search bar.
- Click + Create.
- Name it
brainybee-lab-identity-rgand select East US. - Click Review + create and then Create.
Step 2: Create a New User in Microsoft Entra ID
We will create a test user within your directory. You will need your primary domain name (e.g., yourname.onmicrosoft.com).
CLI Command:
# Get your default domain name
DOMAIN=$(az ad signed-in-user show --query 'userPrincipalName' -o tsv | cut -d '@' -f 2)
# Create the user
az ad user create --display-name "Lab User" \
--password "Password123!@#" \
--user-principal-name labuser@$DOMAIN[!IMPORTANT] Replace
$DOMAINwith your actual tenant domain if not using a script variable.
▶Console alternative
- Search for Microsoft Entra ID.
- In the left menu, select Users > All users.
- Click + New user > Create new user.
- Set User principal name to
labuserand Display name toLab User. - Copy the auto-generated password or set a manual one.
- Click Review + create.
Step 3: Assign the Reader Role
Now, we will apply the "Least Privilege" principle by giving our new user Read-only access to the resource group we created in Step 1.
CLI Command:
# Assign the Reader role
az role assignment create --assignee "labuser@$DOMAIN" \
--role "Reader" \
--resource-group "brainybee-lab-identity-rg"▶Console alternative
- Navigate to the brainybee-lab-identity-rg resource group.
- Select Access control (IAM) in the left sidebar.
- Click + Add > Add role assignment.
- Select Reader and click Next.
- Click + Select members, find
Lab User, and click Select. - Click Review + assign.
Step 4: Visualizing Defense in Depth
Security in Azure is built on multiple layers. The diagram below represents the "Defense in Depth" model you are participating in by securing the Identity layer.
\begin{tikzpicture}[scale=0.8] \draw[thick] (0,0) circle (1.5cm) node[below=1.6cm] {Data}; \draw[thick] (0,0) circle (2.2cm) node[below=2.3cm] {Application}; \draw[thick] (0,0) circle (2.9cm) node[below=3.0cm] {Compute}; \draw[thick, fill=blue!10, opacity=0.5] (0,0) circle (3.6cm); \node at (0,-3.7) {\textbf{Identity & Access (This Lab)}}; \draw[thick] (0,0) circle (4.3cm) node[below=4.4cm] {Perimeter}; \draw[thick] (0,0) circle (5.0cm) node[below=5.1cm] {Physical Security}; \end{tikzpicture}
Checkpoints
| Checkpoint | Action | Expected Result |
|---|---|---|
| User Creation | Run az ad user list --display-name "Lab User" | The user object should be returned in JSON format. |
| RBAC Assignment | Check the IAM tab in the Portal for the RG. | Lab User should appear with the role Reader. |
| Permission Test | Try to delete the RG as the new user. | The action should be denied (403 Forbidden). |
Troubleshooting
| Error | Possible Cause | Fix |
|---|---|---|
Insufficient privileges to complete the operation | You are not a Global Admin or Owner. | Ask your subscription admin for User Access Administrator rights. |
PrincipalNotFound | Entra ID propagation delay. | Wait 60 seconds after creating the user before assigning the role. |
Directory not found | Logged into the wrong tenant. | Use az account set --subscription <ID> to ensure correct context. |
Clean-Up / Teardown
To avoid cluttering your directory and to ensure no resources remain, delete the lab components.
# 1. Delete the Resource Group
az group delete --name brainybee-lab-identity-rg --yes --no-wait
# 2. Delete the Lab User
az ad user delete --id labuser@$DOMAINStretch Challenge
Conditional Access Simulation: Navigate to Microsoft Entra ID > Security > Conditional Access. Note how you could create a policy that requires Multi-Factor Authentication (MFA) specifically for users with administrative roles. Question: Why would we not apply MFA to the "Reader" user in a high-velocity dev environment? (Think about the balance of security vs. productivity).