Delegate Azure role assignment management using conditions

We're excited to share the public preview of delegating Azure role assignment management using conditions. This preview gives you the ability to enable others to assign Azure roles but add restrictions on the roles they can assign and who they can assign roles to. 

As the owner of an Azure subscription, you likely get requests from developers to grant them the ability to assign roles in your subscription. You could assign them the Owner or User Access Administrator role, but those roles grant permission to assign any Azure role (including Owner!), and that's probably a lot more permission than necessary for that developer's scenario. You could instead make role assignments for these developers on demand, but that makes you an unnecessary and impractical bottleneck in their workflow.

Another common case we hear about is a deployment pipeline that needs to make role assignments as part of the deployment process, for example to grant a virtual machine managed identity access to Azure and other resources. You don't want to assign the deployment pipeline the Owner or User Access Administrator role because again, it's a lot more permission than is needed for the scenario.

We created this feature so you can grant permission to create role assignments, but only under specific conditions, such as for specific roles. You can do this in two ways:

  • Make a role assignment that is constrained using conditions.
  • Use a new built-in role that has built-in conditions.

Let's look at each scenario.

How to delegate role assignment management using conditions

Meet Dara, a developer who needs to enable an Azure Service (AKS) managed identity to pull images from an Azure Container Registry (ACR). Now, you can assign Dara the Role Based Access Administrator role and add conditions so she can only assign the AcrPull and AcrPush roles and only to service principals.

Figure 1: Delegate Azure role assignment management using conditions.Figure 1: Delegate Azure role assignment management using conditions.

Let's look at do this :

Step 1: When creating a new role assignment, on the Privileged administrator roles tab select the new Role Based Access Control Administrator role. You could also select any built-in or custom role that includes the Microsoft.Authorization/roleAssignments/write action.

Figure 2: Select roleFigure 2: Select role

Step 2: On the Members tab, select the user you want to delegate the role assignments task to.  Figure 3: Select membersFigure 3: Select members

Step 3: On the Condition tab, click Add condition to add the condition to the role assignment.

Figure 4: Add condition to role assignmentFigure 4: Add condition to role assignment

Step 4: On the Add role assignment condition page, specify how you want to constrain the role assignments this user can perform by selecting one of the templates. For example, if you only want to restrict the roles that a user can assign (ex. AcrPull and AcrPush) and the type of principals the user can assign roles to (ex. service principals), select the Constrain roles and principal types template.

Figure 5: Select role templateFigure 5: Select role template

Step 5: On the Constrain roles and principal types pane, add the roles you want the user to be able to assign and select to what principal types the user can assign roles to.

 

Figure 6: Select role and principal typeFigure 6: Select role and principal type

Step 6: Save the condition and complete the role assignment.  Figure 7: Review role assignment with conditionsFigure 7: Review role assignment with conditions

How to delegate role assignment management using a new built-in role with built-in conditions

Now Dara wants to control who can sign into using Microsoft credentials. To do this, Dara needs to create role assignments for the User Login or Virtual Machine Administrator Login roles. In the past, you had to grant Dara the Owner or User Access Administrator role so she could make these assignments. Now, you can grant Dara the new Virtual Machine Data Access Administrator role. Then, Dara will only be able to assign the roles needed to manage access to the virtual machine. 

Figure 8: Virtual Machine Data Access AdministratorFigure 8: Virtual Machine Data Access Administrator

Similarly, you can assign Key Vault Data Access Administrator role to trusted users managing key vaults, enabling them to assign only Azure Key Vault-related roles.

To assign the new built-in roles with built-in conditions, start a new role assignment, select the Job function roles tab, and select a role with built-in conditions, such as Virtual Machine Data Access Administrator. Then complete the flow to add a new role assignment.

Figure 9 Select Key Vault or Virtual Machine Data Access AdministratorFigure 9 Select Key Vault or Virtual Machine Data Access Administrator

Roles with built-in conditions have Data Access Administrator as part of the role name. Also, you can check if a role definition contains a condition. In the Details column, click View, select the JSON tab, and then inspect the condition property. Over time we'll add more roles with built-in conditions, for the most common scenarios, to make it easy to manage resources and manage access to those resources with simple role assignments. 

Figure 10: Key Vault Data Access Admin JSON view definitionFigure 10: Key Vault Data Access Admin JSON view definition

Next steps

We have several examples for you to get started and customize as needed. Delegating Azure role assignments with conditions is supported using the Azure portal, Azure Resource Manager REST API, PowerShell, and Azure CLI. Try it out and let us know your feedback in the comments or by using the Feedback button on the Access control (IAM) blade in the Azure portal!

Figure 11: Provide feedbackFigure 11: Provide feedback

 Stuart Kwan

Partner Manager, Product Management

Microsoft Entra

Learn more about Microsoft Entra:

 

This article was originally published by Microsoft's Entra (Azure AD) Blog. You can find the original article here.