-
Notifications
You must be signed in to change notification settings - Fork 21.6k
/
Copy pathrole-assignments-portal.yml
250 lines (192 loc) · 13.4 KB
/
role-assignments-portal.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
### YamlMime:HowTo
metadata:
title: Assign Azure roles using the Azure portal - Azure RBAC
description: Learn how to grant access to Azure resources for users, groups, service principals, or managed identities using the Azure portal and Azure role-based access control (Azure RBAC).
author: rolyon
ms.author: rolyon
manager: amycolannino
ms.date: 11/11/2024
ms.service: role-based-access-control
ms.topic: how-to
ms.custom:
- subject-rbac-steps
- ge-structured-content-pilot
title: |
Assign Azure roles using the Azure portal
introduction: |
[!INCLUDE [Azure RBAC definition grant access](../../includes/role-based-access-control/definition-grant.md)] This article describes how to assign roles using the Azure portal.
If you need to assign administrator roles in Microsoft Entra ID, see [Assign Microsoft Entra roles to users](../active-directory/roles/manage-roles-portal.md).
prerequisites:
summary: |
[!INCLUDE [Azure role assignment prerequisites](../../includes/role-based-access-control/prerequisites-role-assignments.md)]
procedureSection:
- title: |
Step 1: Identify the needed scope
summary: |
[!INCLUDE [Scope for Azure RBAC introduction](../../includes/role-based-access-control/scope-intro.md)] For more information, see [Understand scope](scope-overview.md).
steps:
- |
Sign in to the [Azure portal](https://portal.azure.com).
- |
In the Search box at the top, search for the scope you want to grant access to. For example, search for **Management groups**, **Subscriptions**, **Resource groups**, or a specific resource.
- |
Click the specific resource for that scope.
The following shows an example resource group.
- title: |
Step 2: Open the Add role assignment page
summary: |
**Access control (IAM)** is the page that you typically use to assign roles to grant access to Azure resources. It's also known as identity and access management (IAM) and appears in several locations in the Azure portal.
steps:
- |
Click **Access control (IAM)**.
The following shows an example of the Access control (IAM) page for a resource group.
- |
Click the **Role assignments** tab to view the role assignments at this scope.
- |
Click **Add** > **Add role assignment**.
If you don't have permissions to assign roles, the Add role assignment option will be disabled.
The Add role assignment page opens.
- title: |
Step 3: Select the appropriate role
summary: |
To select a role, follow these steps:
steps:
- |
On the **Role** tab, select a role that you want to use.
You can search for a role by name or by description. You can also filter roles by type and category.
- |
If you want to assign a privileged administrator role, select the **Privileged administrator roles** tab to select the role.
For best practices when using privileged administrator role assignments, see [Best practices for Azure RBAC](best-practices.md#limit-privileged-administrator-role-assignments).
- |
In the **Details** column, click **View** to get more details about a role.
- |
Click **Next**.
- title: |
Step 4: Select who needs access
summary: |
To select who needs access, follow these steps:
steps:
- |
On the **Members** tab, select **User, group, or service principal** to assign the selected role to one or more Microsoft Entra users, groups, or service principals (applications).
- |
Click **Select members**.
- |
Find and select the users, groups, or service principals.
You can type in the **Select** box to search the directory for display name or email address.
- |
Click **Select** to add the users, groups, or service principals to the Members list.
- |
To assign the selected role to one or more managed identities, select **Managed identity**.
- |
Click **Select members**.
- |
In the **Select managed identities** pane, select whether the type is [user-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) or [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md).
- |
Find and select the managed identities.
For system-assigned managed identities, you can select managed identities by Azure service instance.
- |
Click **Select** to add the managed identities to the Members list.
- |
In the **Description** box enter an optional description for this role assignment.
Later you can show this description in the role assignments list.
- |
Click **Next**.
- title: |
Step 5: (Optional) Add condition
summary: |
If you selected a role that supports conditions, a **Conditions** tab will appear and you have the option to add a condition to your role assignment. A [condition](conditions-overview.md) is an additional check that you can optionally add to your role assignment to provide more fine-grained access control.
The **Conditions** tab will look different depending on the role you selected.
### Delegate condition
If you selected one of the following privileged roles, follow the steps in this section.
- [Owner](built-in-roles.md#owner)
- [Role Based Access Control Administrator](built-in-roles.md#role-based-access-control-administrator)
- [User Access Administrator](built-in-roles.md#user-access-administrator)
1. On the **Conditions** tab under **What user can do**, select the **Allow user to only assign selected roles to selected principals (fewer privileges)** option.
:::image type="content" source="./media/shared/condition-constrained.png" alt-text="Screenshot of Add role assignment with the Constrained option selected." lightbox="./media/shared/condition-constrained.png":::
1. Click **Select roles and principals** to add a condition that constrains the roles and principals this user can assign roles to.
1. Follow the steps in [Delegate Azure role assignment management to others with conditions](delegate-role-assignments-portal.md#step-3-add-a-condition).
### Storage condition
If you selected one of the following storage roles, follow the steps in this section.
- [Storage Blob Data Contributor](built-in-roles.md#storage-blob-data-contributor)
- [Storage Blob Data Owner](built-in-roles.md#storage-blob-data-owner)
- [Storage Blob Data Reader](built-in-roles.md#storage-blob-data-reader)
- [Storage Queue Data Contributor](built-in-roles.md#storage-queue-data-contributor)
- [Storage Queue Data Message Processor](built-in-roles.md#storage-queue-data-message-processor)
- [Storage Queue Data Message Sender](built-in-roles.md#storage-queue-data-message-sender)
- [Storage Queue Data Reader](built-in-roles.md#storage-queue-data-reader)
steps:
- |
Click **Add condition** if you want to further refine the role assignments based on storage attributes.
- |
Follow the steps in [Add or edit Azure role assignment conditions](conditions-role-assignments-portal.md#step-3-review-basics).
- title: |
Step 6: Select assignment type
summary: |
If you have a Microsoft Entra ID P2 or Microsoft Entra ID Governance license, an **Assignment type** tab will appear for management group, subscription, and resource group scopes. Use eligible assignments to provide just-in-time access to a role. Users with eligible and/or time-bound assignments must have a valid license.
If you don't want to use the PIM functionality, select the **Active** assignment type and **Permanent** assignment duration options. These settings create a role assignment where the principal always has permissions in the role.
This capability is being deployed in stages, so it might not be available yet in your tenant or your interface might look different. For more information, see [Eligible and time-bound role assignments in Azure RBAC](././pim-integration.md).
steps:
- |
On the **Assignment type** tab, select the **Assignment type**.
- **Eligible** - User must perform one or more actions to use the role, such as perform a multifactor authentication check, provide a business justification, or request approval from designated approvers. You can't create eligible role assignments for applications, service principals, or managed identities because they can't perform the activation steps.
- **Active** - User doesn't have to perform any action to use the role.
:::image type="content" source="./media/shared/assignment-type-eligible.png" alt-text="Screenshot of Add role assignment with Assignment type options displayed." lightbox="./media/shared/assignment-type-eligible.png":::
- |
Depending on your settings, for **Assignment duration**, select **Permanent** or **Time bound**.
Select permanent if you want member to always be allowed to activate or use role. Select time bound to specify start and end dates. This option might be disabled if permanent assignments creation is not allowed by PIM policy.
- |
If **Time bound** is selected, set **Start date and time** and **Start date and time** to specify when user is allowed to activate or use role.
It's possible to set the start date in the future. The maximum allowed eligible duration depends on your Privileged Identity Management (PIM) policy.
- |
(Optional) Use **Configure PIM Policy** to configure expiration options, role activation requirements (approval, multifactor authentication, or Conditional Access authentication context), and other settings.
When you select the **Update PIM policy** link, a PIM page is displayed. Select **Settings** to configure PIM policy for for roles. For more information, see [Configure Azure resource role settings in Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings).
- |
Click **Next**.
- title: |
Step 7: Assign role
summary: |
Follow these steps:
steps:
- |
On the **Review + assign** tab, review the role assignment settings.
- |
Click **Review + assign** to assign the role.
After a few moments, the security principal is assigned the role at the selected scope.
- |
If you don't see the description for the role assignment, click **Edit columns** to add the **Description** column.
- title: |
Edit assignment
summary: |
If you have a Microsoft Entra ID P2 or Microsoft Entra ID Governance license, you can edit your role assignment type settings. For more information, see [Eligible and time-bound role assignments in Azure RBAC](./pim-integration.md).
steps:
- |
On the **Access control (IAM)** page, click the **Role assignments** tab to view the role assignments at this scope.
- |
Find the role assignment that you want to edit.
- |
In the **State** column, click the link, such as **Eligible time-bound** or **Active permanent**.
The **Edit assignment** pane appears where you can update the role assignment type settings. The pane might take a few moments to open.
:::image type="content" source="./media/shared/assignment-type-edit.png" alt-text="Screenshot of Edit assignment pane with Assignment type options displayed." lightbox="./media/shared/assignment-type-edit.png":::
- |
When finished, click **Save**.
Your updates might take a while to be processed and reflected in the portal.
relatedContent:
- text: Assign a user as an administrator of an Azure subscription
url: role-assignments-portal-subscription-admin.yml
- text: Remove Azure role assignments
url: role-assignments-remove.yml
- text: Troubleshoot Azure RBAC
url: troubleshooting.md