-
Notifications
You must be signed in to change notification settings - Fork 119
/
ARM - Custom RBAC Role.ps1
151 lines (100 loc) · 3.2 KB
/
ARM - Custom RBAC Role.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# Login to Azure Account
Login-AzureRmAccount
# Select Azure subscription
$subscriptionId =
(Get-AzureRmSubscription |
Out-GridView `
-Title "Select an Azure Subscription ..." `
-PassThru).SubscriptionId
Select-AzureRmSubscription `
-SubscriptionId $subscriptionId
# Assign Reader to subscription
$roleName = "Reader"
$adGroupName = "Demo Test"
$adGroup = Get-AzureRMADGroup -SearchString $adGroupName
$scope = "/subscriptions/$subscriptionId"
$roleAssignment = New-AzureRmRoleAssignment `
-ObjectId $adGroup.Id `
-RoleDefinitionName $roleName `
-Scope $scope
Get-AzureRmRoleAssignment
# Select Azure Resource Group in which existing VNET is provisioned
$rgName =
(Get-AzureRmResourceGroup |
Out-GridView `
-Title "Select an Azure Resource Group ..." `
-PassThru).ResourceGroupName
# Select Azure VNET on which to enable a user-defined route
$vnetName =
(Get-AzureRmVirtualNetwork `
-ResourceGroupName $rgName).Name |
Out-GridView `
-Title "Select an Azure VNET ..." `
-PassThru
$vnet = Get-AzureRmVirtualNetwork `
-ResourceGroupName $rgName `
-Name $vnetName
$location = $vnet.Location
# Select Azure Subnet on which to enable a user-defined route
$subnetName =
$vnet.Subnets.Name |
Out-GridView `
-Title "Select an Azure Subnet ..." `
-PassThru
$subnet = $vnet.Subnets |
Where-Object Name -eq $subnetName
# Assign Virtual Machine Contributor Role to a Subnet
$roleName = "Virtual Machine Contributor"
$adGroupName = "Demo Test"
$adGroup = Get-AzureRMADGroup -SearchString $adGroupName
$roleAssignment = New-AzureRmRoleAssignment `
-ObjectId $adGroup.Id `
-RoleDefinitionName $roleName `
-Scope $subnet.Id
# Display Role Assignments
Get-AzureRmRoleAssignment
# Remove Role Assignments
Remove-AzureRmRoleAssignment `
-ObjectId $roleAssignment.ObjectId `
-RoleDefinitionName $roleName `
-Scope $subnet.Id
# Select actions to allow in new custom role
$actions = Get-AzureRmProviderOperation `
-ActionString "*" |
Out-GridView `
-Title "Select Actions to Permit ..." `
-OutputMode Multiple
# Prompt for name of new custom role
$roleName = Read-Host `
-Prompt "Enter name for new role"
# Prompt for description of new custom role
$roleDesc = Read-Host `
-Prompt "Enter description for new role"
# Define custom role object, based on Reader role
$roleDef = Get-AzureRmRoleDefinition "Reader"
$roleDef.Id = $null
$roleDef.Name = $roleName
$roleDef.Description = $roleDesc
$roleDef.AssignableScopes = @("/subscriptions/$subscriptionId")
ForEach ($action in $actions) {
$roleDef.Actions.Add("$($action.Operation)")
}
# Create new custom role based on defined role object
New-AzureRmRoleDefinition `
-Role $roleDef
# Remove custom role
$role = Get-AzureRmRoleDefinition `
-Name $roleName
Remove-AzureRmRoleDefinition `
-Id $role.Id
# Review Access Change History Report
Get-AzureRmAuthorizationChangeLog `
-StartTime ([DateTime]::Now - [TimeSpan]::FromDays(7)) |
Format-Table `
Caller,
Action,
RoleName,
PrincipalType,
PrincipalName,
ScopeType,
ScopeName