In last two posts, I have explained how the Azure RBAC works and what are different types of roles available in Azure.

In this short article, I will try to explain how role assignment and deny assignments can be done.

Role vs Deny Assignments

Azure RBAC is fine grained authorization system which is built on Azure Resource Manager. The permissions are grouped as roles.

A role defines set of permissions. A role can be assigned to a security principal (i.e. user, group, service principal, managed identity). The process of assigning role to a security principal is called as role assignment.

The Deny Assignments specify which permissions are not allowed for a security principal.

How access is granted?

Whenever a security principal tries to access any Azure resource, the Azure Resource Manager gets all the assignments associated with the concerned resource. Next the Azure Resource Manager finds out which assignments are related to current security principal.

Then Azure resource manager checks that the requested operation is part of role assignments but it is not part of deny assignments. If both of these conditions are met, then only the access is granted.

Let’s now see how to perform role assignments and deny assignments.

Role Assignments in Azure Portal

Login to Azure Portal and open any resource group which you already have created. Then select Access control (IAM) option from left navigation.

Click the Role assignments tab to see the current list of role assignments. If you want to remove any existing role assignment, you can click on Remove button (grayed out in below snapshot) to remove role assignment.

Next, click on Add -> Add role assignment option. On the new panel, select Virtual Machine Contributor role. Then search for user, group or service principal by entering some text in Select text box. Select any from the search result and then click on Save button.

After few moments, the selected security principal would have the virtual machine contributor role in the selected resource group, meaning ability to create and manage virtual machine in this resource group is granted.

Although we have demonstrated role assignment using Azure Portal, it can also be done using Azure CLI or PowerShell.

Deny Assignments in Azure Portal

We just have seen how easy it is to assign a role to a security principal. The next obvious question can be – how can Deny Assignments be created ?

You cannot directly create your own deny assignments.

Deny assignments are created and managed by Azure to protect the resources. Azure Blueprints and Azure managed apps use deny assignments to protect system-managed resources. Azure Blueprints and Azure managed apps are the only way that deny assignments can be created. 

You can view the deny assignments in Azure Portal. If you select Access Control (IAM) and then Deny Assignments tab, you should be able to view deny assignments applicable for selected resource.

I hope you enjoyed this article. Let me know your thoughts.