How is everyone doing Azure RBAC as Code?

Question

I was wondering how everyone is handling RBAC at scale. We have AD groups that map to our Azure RBAC roles but everything is pretty much done via the portal. Has anyone successfully used a pipeline and Bicep/ARM/Terraform to deploy all role assignments on it, with multiple subscriptions/mgs. Currently we have no real audit trail for RBAC changes which is why we are looking at this. Thanks!

Take a look at Azure Blueprints https://learn.microsoft.com/en-us/azure/governance/blueprints/overview — TrevorBrooks, Aug 11 '21 at 17:56

score 3 · Answer 1 · answered Aug 21 '21 at 16:09

at the moment I am also fighting with that challenge. What I end up is a bicep file where I am able to assign roles to management groups. I chose file structure that reflekts portal.azure.com. It means that I have a folder called 'IAM' where I am managing access to the management groups. I chose to have one bicep file per management group, so 'playground' mgmt groups has a file called playground.bicep.

targetScope = 'managementGroup'

param scope string
param DiskBackupReaders array 
param PurviewDataCurators array

var roles = [
  {
    role: 'DiskBackupReaders'
    principalId: DiskBackupReaders
    roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24'
  }
  {
    role: 'PurviewDataCurators'
    principalId: PurviewDataCurators
    roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb'
  }
]
var mgmtScope = '/providers/Microsoft.Management/managementGroups/${scope}'


module rbacAssignment '../modules/rbac.bicep' = [for role in roles: {
  name: role.role
  scope: managementGroup(scope)
  params: {
    principalId: role.principalId
    rbacId: role.roleDefinitionId
    scope: mgmtScope
  }
}]

that was little bit tricky with nested loops, but the module file helped me to solve that issue, any other ideas?

targetScope = 'managementGroup'
param scope string 
param principalId array =[]
param rbacId string 

resource rbacAssignment 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' =[ for principal in principalId:{
  name: guid(rbacId, scope, principal)
  properties: {
    principalId: principal
    roleDefinitionId: rbacId
  }
}]

and I use simple pwsh loop to deploy all files in a folder to mgmt group

score 0 · Answer 2 · answered Aug 13 '21 at 14:31

0

I recommend you to use Azure Powershell New-AzRoleAssignment to assign RBAC roles, just use a loop in a powershell script.

In Azure DevOps pipeline, use Azure Powershell Task to run your script.

Also make sure the service principal of the Azure Resource Manager Service Connection used in the Task has the Owner or User Access Administrator in your Azure subscription, otherwise, it will not have the permission to assign RBAc roles.

answered Aug 13 '21 at 14:31

Joy Wang

39,905
3
30
54

Beware this will not scale. Won't recommend. – r3verse Mar 17 '22 at 20:44

score 0 · Answer 3 · answered Sep 30 '22 at 23:28

There is a marketplace extension that does this: https://marketplace.visualstudio.com/items?itemName=Osservante.OsservanteRBAC

It lets you deploy RBAC as expected, but also has a plan mode (a bit like terraform) and an export mode making it easy to get started.

How is everyone doing Azure RBAC as Code?

3 Answers3