Welcome, everyone, back to Module 2 where I talk about managing resource groups. So in this module, we're going to be looking at an RBAC, which is role-based access control. We'll look at configuring access to Azure resources by assigning roles, configuring management access to Azure, creating a custom role, and also Azure Policy. So what is RBAC, well, when you think about it, roles have been around for a while. They originally showed up with SQL server, and then they were extended to exchange servers starting with 2007. Roles are synonymous with groups and Active Directory. So a role is a container, has a role definition. Definition's the actual permissions that the identity has inherited from being part of that role. The scope says this is what you can administer. Now, on Azure, this is done by the role, the role definition, the scope. So when you work with RBAC, or role-based access control, your determining who, what, and where. So when you're working with security, we need to follow the principle of least privilege. Only give enough permissions to get the work done, nothing else. So there are built-in roles, and these really should be used when possible, it makes it easier to manage the environment. And some of the things that you can do are allow users to manage VMs and virtual networks, such as a DBA to manage Azure SQL databases, and more. Let's take a look at some of the roles. So I'm over in the Azure portal, and the way that we work with roles, we go into our Active Directory, Azure Active Directory. And this is, like I said, it's pretty much the same as what it is when we're dealing with groups and Active Directory on-premises. So you have roles and administrators, you have users and groups. And the thing is is when you're working with roles, what you should do is actually put a group into a role. That way it makes it easier to be able to do management. So I'm going into the roles and administrators. Within this, you'll see there's a bunch of different ones, there are build-in ones. And so the built-in ones, this is really where we should start off. If we don't have something that is going to work for us, then we need to go and we'll be able to create a custom role. Now, you need to have a P1 or a P2 to be able to use the custom roles. So if you're not using E3 or E5 and Microsoft 365 or if you've purchase the add-on for Azure P1 or P2, then you won't be able to create the custom role. We have the built-in roles, and so there's a bunch of different ones. So if we were to look at the report reader, they can read, sign in, audit reports. We have the VM Contributor, and they have the ability to be able to go and create VMs and be able to modify them and so forth. So there's a lot of different roles that we have. So let's take a look at some of the best practices that we should follow when it comes to RBAC. RBAC is used to provide the ability of delegation, so it provides a way to limit permissions and give granular access to identities within Azure. And you can limit the scope of Azure to the subscription. We can do it to the resource, or we can do a resource group, so resource group or to the resource. Now, we also have management groups. And management groups, what they're going to do is allow us to be able to take and have all our subscriptions and have it under, going to be synonymous to a GPO, a group policy object. And so the management group, what it does is it allows us to be able to put all these different subscriptions together. And then we can have a policy that we can apply. And that's through, not a policy, but yeah, an RBAC policy, and so a role that'll be associated with it. On each level, you can find an IAM blade. So right now I'm in my portal and, as you can see, I'm in the Microsoft Partner Network and this is my subscription. So if I go back in here and look underneath the subscriptions, what you do is you select a subscription. Once you have the subscription, you'll notice that we have the IAM. And so this is where we can control who has access, be able to make changes to it, and everything like that. So we can check access, and we can find Azure AD users and groups. And so I can put my email address in here. And so it's telling me what type of access I have, and it's actually not finding. So what I have to do is actually get my whole, I think it's a different one because it's on microsoft.com. I don't have it associated with the other names that I have in here, so that's where we check access. And so when we go into our resource groups, And I have the Cloud Shell is the only one I have right now. We have the access control IAM right there also, identity access management, that's what it stands for. And then in the actual resource itself, We have the IAM here, too. And so this is how we're able to start to work with RBAC within our subscription and within our environment.
