1/25/2021 AZ-103-MicrosoftAzureAdministrator

Scenario
Lab: Role-Based Access Control
All tasks in this lab are performed from the Azure portal (including a PowerShell Cloud Shell session)
Objectives

Exercise 1:
❕ Note: When not using Cloud Shell, the lab virtual machine must have the Azure PowerShell 1.2.0 module (or newer) installed
Configure
delegation of https://docs.microsoft.com/en-us/powershell/azure/install-az-ps
provisioning
and
management of Lab files: none
Azure resources
by using built-in
Role-Based Scenario
Access Control
(RBAC) roles and
built-in Azure Adatum Corporation wants to use Azure Role Based Access Control and Azure Policy to control provisioning and
policies management of their Azure resources. It also wants to be able to automate and track provisioning and
management tasks.
Exercise 2: Verify
delegation by
provisioning Objectives
Azure resources
as a delegated
After completing this lab, you will be able to:
admin and
auditing
provisioning Configure delegation of provisioning and management of Azure resources by using built-in Role-Based
events Access Control (RBAC) roles and built-in Azure policies

Verify delegation by provisioning Azure resources as a delegated admin and auditing provisioning events

Exercise 1: Configure delegation of provisioning and management of Azure resources by

using built-in Role-Based Access Control (RBAC) roles and built-in Azure policies

The main tasks for this exercise are as follows:

1. Create Azure Active Directory (AD) users and groups

2. Create Azure resource groups

3. Delegate management of an Azure resource group via a built-in RBAC role

4. Assign a built-in Azure policy to an Azure resource group

Task 1: Create Azure AD users and groups

1. From the lab virtual machine, start Microsoft Edge, browse to the Azure portal at http://portal.azure.com
and sign in by using a Microsoft account that has the Owner role in the Azure subscription you intend to
use in this lab and is a Global Administrator of the Azure AD tenant associated with that subscription.

2. In the Azure portal, navigate to the Azure Active Directory blade

3. From the Azure Active Directory blade, navigate to the Custom domain names blade and identify the
primary DNS domain name associated the Azure AD tenant. Note its value - you will need it later in this
task.

4. From the Azure AD Custom domain names blade, navigate to the Users - All users blade.

5. From the Users - All users blade, create a new user with the following settings:

User name: aaduser100011@<DNS-domain-name> where <DNS-domain-name> represents the

primary DNS domain name you identified earlier in this task.

Name: aaduser100011

First name: not set

Last name: not set

Auto-generate password

https://microsoftlearning.github.io/AZ-103-MicrosoftAzureAdministrator/Instructions/Labs/11a - Role-Based Access Control (az-100-01).html 1/6

1/25/2021 AZ-103-MicrosoftAzureAdministrator

Password: select the checkbox Show Password and note the string appearing in the Password text
box. You will need it later in this lab.

Groups: 0 groups selected

Roles: User

Block sign in: No

Usage location: United States

Job title: not set

Department: not set

6. From the Users - All users blade, navigate to the Groups - All groups blade.

7. From the Groups - All groups blade, create a new group with the following settings:

Group type: Security

Group name: az1001 Contributors

Group description: az1001 Contributors

Membership type: Assigned

Members: aaduser100011

Task 2: Create Azure resource groups

1. In the Azure portal, navigate to the Resource groups blade.

2. From the Resource groups blade, create the first resource group with the following settings:

Resource group name: az1000101-RG

Subscription: the name of the subscription you are using in this lab

Resource group location: the name of the Azure region which is closest to the lab location and where
you can provision Azure VMs.

❕ Note: To identify Azure regions available in your subscription, refer to https://azure.microsoft.com/en-

us/regions/offers/

3. From the Resource groups blade, create the second resource group with the following settings:

Resource group name: az1000102-RG

Subscription: the name of the subscription you selected in the previous step

Resource group location: the name of the Azure region you selected in the previous step

Task 3: Delegate management of an Azure resource group via a built-in RBAC role

1. In the Azure portal, from the Resource groups blade, navigate to the az1000101-RG blade.

2. From the az1000101-RG blade, display its Access control (IAM) blade.

3. From the az1000101-RG - Access control (IAM) blade, display the Role assignments blade.

4. From the Role assignments blade, create the following role assignment:

Role: Contributor

Assign access to: Azure AD user, group, or service principal

Select: az1001 Contributors

https://microsoftlearning.github.io/AZ-103-MicrosoftAzureAdministrator/Instructions/Labs/11a - Role-Based Access Control (az-100-01).html 2/6

1/25/2021 AZ-103-MicrosoftAzureAdministrator

Task 4: Assign a built-in Azure policy to an Azure resource group

1. From the az1000101-RG blade, display its Policies blade.

2. From the Policy - Compliance blade, display the Assign policy blade.

3. Assign the policy with the following settings:

Basics tab:

Scope: <name of the subscription you are using in this lab>/az1000101-RG

Exclusions: leave the entry blank

Policy definition: Allowed virtual machine SKUs

Assignment name: Allowed virtual machine SKUs

Description: Allowed selected virtual machine SKUs (Standard_DS1_v2)

Policy enforcement: Enabled

Assigned by: leave the entry set to its default value

Parameters tab:

Allowed SKUs: Standard_DS1_v2

Remediation tab:

Create a Managed Identity: leave the entry blank

❕ Result: After you completed this exercise, you have created an Azure AD user and an Azure AD group, created two Azure
resource groups, delegated management of the first Azure resource group via the built-in Azure VM Contributor RBAC role,
and assigned to the same resource group the built-in Azure policy restricting SKUs that can be used for Azure VMs.

Exercise 2: Verify delegation by provisioning Azure resources as a delegated admin and

auditing provisioning events

The main tasks for this exercise are as follows:

1. Identify an available DNS name for an Azure VM deployment

2. Attempt an automated deployment of a policy non-compliant Azure VM as a delegated admin

3. Perform an automated deployment of a policy compliant Azure VM as a delegated admin

4. Review Azure Activity Log events corresponding to Azure VM deployments

Task 1: Identify an available DNS name for an Azure VM deployment

1. From the Azure Portal, start a PowerShell session in the Cloud Shell.

❕ Note: If this is the first time you are launching the Cloud Shell in the current Azure subscription, you will be asked to
create an Azure file share to persist Cloud Shell files. If so, accept the defaults, which will result in creation of a storage
account in an automatically generated resource group.

2. In the Cloud Shell pane, run the following command, substituting the placeholder <custom-label> with
any string which is likely to be unique and the placeholder <location-of-az1000101-RG> with the name
of the Azure region in which you created the az1000101-RG resource group.

Code  Copy

Test-AzDnsAvailability -DomainNameLabel <custom-label> -Location '<location-of-az1000101-RG>'

https://microsoftlearning.github.io/AZ-103-MicrosoftAzureAdministrator/Instructions/Labs/11a - Role-Based Access Control (az-100-01).html 3/6

1/25/2021 AZ-103-MicrosoftAzureAdministrator

3. Verify that the command returned True. If not, rerun the same command with a different value of the
<custom-label> until the command returns True.

4. Note the value of the <custom-label> that resulted in the successful outcome. You will need it in the next
task

5. Run these commands:

Code  Copy

Register-AzResourceProvider –ProviderNamespace Microsoft.Network

Code  Copy

Register-AzResourceProvider –ProviderNamespace Microsoft.Compute

❕ Note: These cmdlets register the Azure Resource Manager Microsoft.Network and Microsoft.Compute resource
providers. This is a one-time operation (per subscription) required when using Azure Resource Manager templates to
deploy resources managed by these resource providers (if these resource providers have not been yet registered).

❕ Also Note: If you encounter an error after running these commands that mentions a token expiry set to a time that is
before the current time, click the power button icon on our Cloud Shell UI and reboot your Cloud Shell instance. Once
restarted, retry these commands.

Task 2: Attempt an automated deployment of a policy non-compliant Azure VM as a delegated admin

1. Launch another browser window in the InPrivate mode.

2. In the new browser window, navigate to the Azure portal and sign in using the user account
aaduser100011@<DNS-domain-name> where <DNS-domain-name> represents the primary DNS
domain name you identified earlier. When prompted, change the password to a new value.

3. In the Azure portal, navigate to the Resource groups blade and note that you can view only the resource
group az1000101-RG.

4. In the Azure portal, navigate to the New blade.

5. From the New blade, search Azure Marketplace for Template deployment.

6. Use the list of search results to navigate to the Deploy a custom template blade.

7. On the Custom deployment blade, in the Load a GitHub quickstart template drop-down list, select the
101-vm-simple-linux entry and navigate to the Edit template blade.

8. On the Edit template blade, navigate to the Variables section and locate the vmSize entry.

9. Note that the template is using hard-coded Standard_B2s VM size.

10. Discard any changes you might have made to the template and navigate to the Deploy a simple Ubuntu
Linux VM blade.

11. From the Deploy a simple Ubuntu Linux VM blade, initiate a template deployment with the following
settings:

Subscription: the same subscription you selected in the previous exercise

Resource group: az1000101-RG

Location: the name of the Azure region which you selected in the previous exercise

Admin Username: Student

Authentication Type: password

https://microsoftlearning.github.io/AZ-103-MicrosoftAzureAdministrator/Instructions/Labs/11a - Role-Based Access Control (az-100-01).html 4/6

1/25/2021 AZ-103-MicrosoftAzureAdministrator

Admin Password Or Key: Pa55w.rd1234

Dns Label Prefix: the <custom-label> you identified in the previous task

Accept the default values of the remaining settings

12. Note that the initiation of the deployment fails. Navigate to the Errors blade and note that the deployment
of the resource is not allowed by the policy Allowed virtual machine SKUs.

Task 3: Perform an automated deployment of a policy compliant Azure VM as a delegated admin

1. From the Deploy a simple Ubuntu Linux VM blade, navigate to the Edit parameters blade.

2. On the Edit parameters blade, locate the vmSize entry.

3. Replace the value Standard_B2s with Standard_DS1_v2 and save the change.

4. Initiate a deployment again. Note that this time validation is successful.

5. Do not wait for the deployment to complete but proceed to the next task.

Task 4: Review Azure Activity Log events corresponding to Azure VM deployments

1. Switch to the browser window that you used in the previous exercise.

2. In the Azure portal, navigate to the az1000101-RG resource group blade.

3. From the az1000101-RG resource group blade, display its Activity log blade.

4. In the list of operations, note the ones corresponding to the failed and successful validation events.

5. Refresh the view of the blade and observe events corresponding to the Azure VM provisioning, including
the final one representing the successful deployment.

❕ Result: After you completed this exercise, you have identified an available DNS name for an Azure VM deployment,
attempted an automated deployment of a policy non-compliant Azure VM as a delegated admin, performed an automated
deployment of a policy compliant Azure VM as the same delegated admin, and reviewed Azure Activity Log entries
corresponding to both Azure VM deployments.

Exercise 3: Remove lab resources

Task 1: Open Cloud Shell

1. At the top of the portal, click the Cloud Shell icon to open the Cloud Shell pane.

2. At the Cloud Shell interface, select Bash.

3. At the Cloud Shell command prompt, type in the following command and press Enter to list all resource
groups you created in this lab:

Shell  Copy

az group list --query "[?starts_with(name,'az1000')].name" --output tsv

4. Verify that the output contains only the resource groups you created in this lab. These groups will be
deleted in the next task.

Task 2: Delete resource groups

1. At the Cloud Shell command prompt, type in the following command and press Enter to delete the
resource groups you created in this lab

Shell  Copy

https://microsoftlearning.github.io/AZ-103-MicrosoftAzureAdministrator/Instructions/Labs/11a - Role-Based Access Control (az-100-01).html 5/6

1/25/2021 AZ-103-MicrosoftAzureAdministrator

az group list --query "[?starts_with(name,'az1000')].name" --output tsv | xargs -L1 bash -c

'az group delete --name $0 --no-wait --yes'

2. Close the Cloud Shell prompt at the bottom of the portal.

❕ Result: In this exercise, you removed the resources used in this lab.

https://microsoftlearning.github.io/AZ-103-MicrosoftAzureAdministrator/Instructions/Labs/11a - Role-Based Access Control (az-100-01).html 6/6