Skip to content

AAD Rbac Issue Investigation

Jump to bottom
Suwat Ch edited this page Dec 2, 2016 · 12 revisions
  • Overview

Rbac (Role-Based Access Control) is an authorization mechanism to determine if a user is authorized to perform an operation a resource. Let review each term.

  • What is a user?

A user is an entity created under an AAD directory (aka. tenant or tid). It has a set of properties like name, first name, email, etc. It is uniquely identified by an objectId (guid); sometimes the terms oid and principalId are also used. The tenant, where user is originally created, is called home tenant. The same user can be added to other tenants; in this case, it becomes foriegn entity. The user is given different objectId for different tenant.

// To see your oid
ARMClient.exe token

// To see your oid in different tenant
ARMClient.exe token %tid%

// To see all tenants you belong to
ARMClient.exe listcache

// To get user details
ARMClient.exe get "https://graph.windows.net/%tid%/users/%oid%?api-version=1.2-internal"
  • What is a group?

A group is an entity created under an AAD directory (aka. tenant or tid). It has a set of properties like group name, etc. It is uniquely identified by an objectId (guid); sometimes the term principalId is also used. The group has members which are a collection of users.

// To see what groups a user belong to
ARMClient.exe post "https://graph.windows.net/%tid%/users/%oid%/getMemberGroups?api-version=1.2-internal" "{securityEnabledOnly:false}"

// To get group details
ARMClient.exe get "https://graph.windows.net/%tid%/groups/%oid%?api-version=1.2-internal"

// To get group members
ARMClient.exe get "https://graph.windows.net/%tid%/groups/%oid%/$links/members?api-version=1.2-internal"
  • What is an operation?

The operation is an action; for instance, read, write etc.

  • What is a resource?

In this context, the resource is an ARM resource identified by a url such as https://management.azure.com/subscriptions/%sub%/resourceGroups/%rg%/providers/Microsoft.Web/sites/%site%.

  • What is a authorization policy?

The authorization policy contains a description about what users can perform what operations on what resources. Lacking of, a user will be denied access. The policy is represented by role definitions and role assignments.

  • What is a role definition?

A role definition describe what role can perform what operations/actions. For instance, "Website Contributor" role have full permissions to "WebApps resource type" (Microsoft.Web/sites/*).

// To get role definitions for a resource
ARMClient.exe get "https://management.azure.com/subscriptions/%sub%/resourceGroups/%rg%/providers/Microsoft.Web/sites/%site%/providers/Microsoft.Authorization/roleDefinitions?api-version=2015-07-01"

// role definition sample for Website Contributor
{
  "roleName": "Website Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage websites (not web plans), but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/components/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Web/certificates/*",
        "Microsoft.Web/listSitesAssignedToHostName/read",
        "Microsoft.Web/serverFarms/join/action",
        "Microsoft.Web/serverFarms/read",
        "Microsoft.Web/sites/*"
      ],
      "notActions": []
    }
  ],
  "createdOn": "0001-01-01T08:00:00Z",
  "updatedOn": "2016-05-31T23:14:06.5272742Z",
  "createdBy": null,
  "updatedBy": null
}
  • What is a role assignment?

A role assignment describe what users/groups belong to what roles for what resources (scope). For instance, user with objectId "foo" belongs to "Website Contributor" role for "bar" resource. In a way, it means a user "foo" has full permissions on "bar" WebApp resource.

A user can also be giving permissions via group. For instance, a group with objectId "foo" belongs to "Web Site Contributors" role for "bar" resource. In a way, it means any user in "foo" group has full permissions on "bar" WebApp resource.

// To get role assignments for a resource
ARMClient.exe get "https://management.azure.com/subscriptions/%sub%/resourceGroups/%rg%/providers/Microsoft.Web/sites/%site%/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01"

// role assignment sample
// To interpret, the user or group (11b067db-6955-4cba-884a-012578e5bd5f) is a Website Contributor  for /subscriptions/abcdef26-e78f-41b7-9e94-df4e34ddcecd/resourceGroups/testrg resource group.
// Looking at Website Contributor role, this user will have full permission to all WebApp resources under such resource group.
{
  "properties": {
    "roleDefinitionId": "/subscriptions/abcdef26-e78f-41b7-9e94-df4e34ddcecd/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", // Website Contributor
    "principalId": "11b067db-6955-4cba-884a-012578e5bd5f", // this is user or group
    "scope": "/subscriptions/abcdef26-e78f-41b7-9e94-df4e34ddcecd/resourceGroups/testrg", // resource
    "createdOn": "2016-11-30T16:09:18.6938852Z",
    "updatedOn": "2016-11-30T16:09:18.6938852Z",
    "createdBy": "25fca160-1e0b-4d52-9a3a-3c7f0decba23",
    "updatedBy": "25fca160-1e0b-4d52-9a3a-3c7f0decba23"
  },
  "id": "/subscriptions/4e1a6126-e78f-41b7-9e94-df4e34ddcecd/resourceGroups/testappdebug/providers/Microsoft.Authorization/roleAssignments/1e4b7da1-d6d3-4360-abc3-e16dd7b1077c",
  "type": "Microsoft.Authorization/roleAssignments",
  "name": "1e4b7da1-d6d3-4360-abc3-e16dd7b1077c"
}
  • Investigate issue

First step, check if a user or groups that user belongs to is defined in role assignment. If not, the permission will be denied. If yes, check what role definition is associated for that assignment. That will determine what permissions a user can do on what resource.

Clone this wiki locally