Hello and welcome back. A Cyber Aires Microsoft Azure Administrator A Z 103 course, this is Episode 16 role based Access Control and I'm your instructor, Will Carlson.
In today's episode, we're gonna discuss the difference between an older school co administrator assignment and a more current role based administrator assignment.
We're gonna discuss some of the different roles that you really should be aware of and their functionality on the A Z one of three exam.
And they were gonna briefly discuss how to go about creating a custom role in Azure
get started. We're gonna go ahead and come here in at In the portal to subscriptions.
I'm gonna pick my free trial subscription,
and we're going to assign an administrator here in the portal
for Azure. Now, obviously, in production, you're probably not gonna be a one man shop. Hopefully, you're not,
and you're gonna need to be able to assign permissions here with an azure, a number of different ways, and that's gonna be done at the subscription level.
To do that, I'm gonna come into the subscription, and I'm gonna select access control,
and all I have to do is select add now There are two options here, co administrator and roll assignment
co administrator is going to be more in line with that classic deployment model. Whereas Roll assignment is going to be more in line with the arm A P I.
Unless you have a reason to use a co administrator. I really recommend you use a role assignment
but wrote quickly, Let's add a co administrator just to step through that process.
We've only got a very limited number of users here. But if I wanted to make Dwight Schrute co administrator like his name and isolate,
that's gonna make Dwight have full access to Azure and able to do anything that he wants to do with an azure just the same as my user account
the alternative would be to use a role assignment,
and the differences are important. So I'm gonna go ahead. I could search here if I had a long, long list of users, but I don't so I could go ahead and just select White's name, and then I need to select on a roll. There are, as you can see, a very long list of roles here already built in to Azure
the ones that you need to be particularly mindful of for the exam, in my opinion, are going to be the owner role that's going to be equivalent to your role. When you set up your eyes, your tenant, they're gonna be able to do and create whatever resource is, and they're going to be able to control access
contributor. Role is going to let you do whatever you want to with Resource is, but you cannot control who has access to what
reader role is also gonna be important. And that does just what it says. You're only going to be able to read information but not make any changes. But you will be able to read information all across the subscription or the scope that you're given that access to
those air three of the most important role based access control levels.
So let's go ahead and make Dwight and, well, maybe for Dwight. I don't want the assistant to the manager to have too much control, so we're gonna go ahead and just make him a reader.
I'm gonna come down here and I'm gonna quite save,
and that's all there is to assigning administrative permissions here in Azure.
One of the role that I want to mention and we can look at it this way by coming into roles
Yes, user access Administrator.
And this rule is gonna allow you to manage who has access to what here in Azure. But you're not gonna be able to do anything with Resource is so This is really the alternative to the contributor role that can do anything with Resource is but cannot control access. So
those were some of the roles that I think you should be mindful of when it comes to Easy one of three.
Now, when I come here into role assignments, it's gonna tell me who has what access to what resource is. So I can see the scope Is this current resource or this subscription? And Dwight has read her access.
I could come here in classic administrators and see that Dwight is a co administrator, which is a little bit contradictory. So why ultimately can do whatever he wants to do here in this subscription. So clearly, we're gonna need to delete that.
We're just gonna remove that permit that access for it.
I think that's older.
I know I'm the only classic administrator for the system,
Another useful thing when it comes to diagnosing, who has access to what is back this. Check access. So if I search here, buy Dwight's name,
and it's gonna tell me very quickly what all Dwight has access to cross the azure tenant.
It's very simple now, with just a couple of users here that we just assigned. But as users begin to stale and you need to go through the process of auditing, who has access to what the check access tool is very powerful and useful
now. One thing I wanna call out about role based access control is that you can manage it within portal, but you cannot currently create a custom role within the portal. You have to do that programmatically and this. How to hear on this. Documentation on Microsoft's Web site
outlines how to go about that.
What they recommend doing ultimately is pulling down a template for a roll and then tweaking that template to your needs.
I don't think this level of detail is going to be on tthe e a Z 103 exam, but it may be important to know that you cannot create a custom role within portal directly.
So in today's video, we very simply talked about role based access control. What that means, why it's so powerful. We went through a number of the built in roll assignments. Take some time, go through the list. There really are countless built in roles. Basically, if you can
put together a default job position and the functions you want them to do, there's a really high likelihood that Microsoft has already built a role to do that for you.
And we also talked about the roles that you may need to know for the exam that's gonna be owner, contributor, reader and user access control, or the four that I think are really important for A Z one of three. And then we also talked about where to find the documentation and the fact that you cannot deploy a custom role within portal
Coming up next, we're going to begin stepping into storage and how we create storage account. So we've got all these wonderful binary files. How do we store them with an azure
storage is gonna be a really important part of the easy 103 exam, and it's really quite exciting part from an administrative. In a nightie standpoint, I'm really looking forward to those upcoming episodes. I sure hope you'll join me there. Thanks so much.