Skip to content

Creating and Editing a Custom Role using Azure Cloud Shell

Cloud Access Manager creates a custom role in Azure for the service principal account that is provided to Cloud Access Manager when performing remote workstation management. The custom role is Cloud Access Manager. This role is restricted from carrying out certain operations, such as being able to read virtual machine disks. This enhances the overall security of your Cloud Access Software deployment. It limits the Cloud Access Manager to only use the resources nescessary to fulfill its role.

Use Cases for Administrators

This procedure is for creating and editing custom roles using Azure Cloud Shell, and can be used for a number of Administrative activities:

  • Editing and modifying privileges.
  • Creating the role prior to running the deployment script.
  • Understanding the access needs of the Cloud Access Manager service principal.
  • Reviewing if the service principal is set with the correct roles and privileges.
  • Editing the access rights of a current service principal.

In order to create this role using Cloud Shell, you must have Microsoft.Authorization/roleDefinitions/write permissions. The following section outlines the steps involved in creating or editing a custom role using Azure Cloud Shell:

  1. Log into the Azure Portal and click the cloud shell icon from the top panel to open an Azure Cloud Shell instance. Ensure you select PowerShell as your environment.
  2. Enter the following command to check if the role definition already exists:
$camCustomRoleDefinition = Get-AzureRmRoleDefinition "Cloud Access Manager"
  • If the role does not exist, the easiest way to create a new role definition is to base it off an existing role. You can base it off the Contributor role and remove the permissions you do not want:
   $camCustomRoleDefinition = Get-AzureRmRoleDefinition "Contributor"
   $camCustomRoleDefinition.Id = $null
   $camCustomRoleDefinition.IsCustom = $true
   $camCustomRoleDefinition.Name = "Cloud Access Manager"
   $camCustomRoleDefinition.Description = "Required Permissions for Cloud Access Manager"
  • If the role does exist, retrieve and edit the existing policy with the following command:

       $camCustomRoleDefinition = Get-AzureRmRoleDefinition "Cloud Access Manager"
    

  • You need to clear the 'AssignableScope' parameter and replace it with 'subscriptions/{subscriptionID}', as outlined in the screenshots below:

Alt Text

Alt Text

For more information on creating and managing a role with PowerShell, see Role Management with PowerShell.

'Assignable Scope' for every Subscription

You are required to add an assignable scope for each individual subscription in which you are planning on provisioning Cloud Access Manager.

3.It is possible to edit both the Actions and NotActions PowerShell Array objects. The Actions object states functions you are allowed to do, and the NotActions object states functions you are not allowed to do and these override the Actions settings. The .Clear(), .Add(), and/or .RemoveAt() methods can be used to modify the settings as required. Within the Actions, clear the existing allowed actions and add what is needed for Cloud Access Manager:

# Clear out existing Actions
$camCustomRoleDefinition.Actions.Clear()


# Actions to add
$requiredActions = @(
    "Microsoft.Resources/*"
    "Microsoft.KeyVault/*"
    "Microsoft.Storage/*"
    "Microsoft.Network/*"
    "Microsoft.Compute/*"
)

# Add Actions required to be enabled
foreach ( $Action in $requiredActions) {
    if ( -not $camCustomRoleDefinition.Actions.Contains($Action)) {
        $camCustomRoleDefinition.Actions.Add($Action)
    }
}
4. Within the NotActions, you can redefine what the Cloud Access Manager role can do within the allowed actions. This setting enhances the security layer between Cloud Access Manager and remote workstations. For example, it restricts Cloud Access Manager from being able to access data on remote workstations managed disks, or to be able to perform more advanced networking actions:

# Clear out existing NotActions
$camCustomRoleDefinition.NotActions.Clear()

# Actions to remove
$requiredNotActions = @(
    # Default NotActions to disable to prevent elevation of privilege
    'Microsoft.Authorization/*/Delete'
    'Microsoft.Authorization/*/Write'
    'Microsoft.Authorization/elevateAccess/Action'

    # Remove ability to access snapshots
    'Microsoft.Compute/snapshots/*'
    # Remove ability to access restore points
    'Microsoft.Compute/restorePointCollections/*'
    # Remove ability to get SAS URI of VM Disk for Blob access
    'Microsoft.Compute/disks/beginGetAccess/action'
    # Remove ability to revoke SAS URI of VM Disk for Blob access
    'Microsoft.Compute/disks/endGetAccess/action'

    # Remove ability to access application gateway WAF rulesets
    'Microsoft.Network/applicationGatewayAvailableWafRuleSets/*'
    # Remove ability to access vpn connection info
    'Microsoft.Network/connections/*'
    # Remove ability to access dns zones and operation satuses
    'Microsoft.Network/dnszones/*'
    'Microsoft.Network/dnsoperationstatuses/*'
    # Remove ability to access express routes
    'Microsoft.Network/expressRouteCrossConnections/*'
    'Microsoft.Network/expressRouteCircuits/*'
    'Microsoft.Network/expressRouteServiceProviders/*'
    # Remove ability to access load balancers
    'Microsoft.Network/loadBalancers/*'
    # Remove ability to access network watchers
    'Microsoft.Network/networkWatchers/*'
    # Remove ability to access route filters and tables
    'Microsoft.Network/routeFilters/*'
    'Microsoft.Network/routeTables/*'
    # Remove ability to access secure gateways
    'Microsoft.Network/securegateways/*'
    # Remove ability to access service endpoint policies
    'Microsoft.Network/serviceEndpointPolicies/*'
    # Remove ability to access traffic management
    'Microsoft.Network/trafficManagerProfiles/*'
    'Microsoft.Network/trafficManagerUserMetricsKeys/*'
    'Microsoft.Network/trafficManagerGeographicHierarchies/*'
    # Remove ability to delete Vnets
    'Microsoft.Network/virtualNetworks/delete'
    # Remove ability to peer Vnet to other Vnets
    'Microsoft.Network/virtualNetworks/peer/action'
    # Remove ability to access Vnet peering info
    'Microsoft.Network/virtualNetworks/virtualNetworkPeerings/*'
    # Remove ability to access virtual network gateways and taps
    'Microsoft.Network/virtualNetworkGateways/*'
    'Microsoft.Network/virtualNetworkTaps/*'
    # Remove ability to access virtual wans and hubs
    'Microsoft.Network/virtualwans/*'
    'Microsoft.Network/virtualHubs/*'
    # Remove ability to access vpn gateways and sites
    'Microsoft.Network/vpnGateways/*'
    'Microsoft.Network/vpnsites/*'

    # Remove ability to access queue service in storage account
    'Microsoft.Storage/StorageAccounts/queueServices/*'
)

# Add Not Actions required to be disabled
foreach ( $notAction in $requiredNotActions) {
    if ( -not $camCustomRoleDefinition.NotActions.Contains($notAction)) {
        $camCustomRoleDefinition.NotActions.Add($notAction)
    }
}
5. Once you have edited the settings, save the role by running the following command:
# To save an existing role
Set-AzureRmRoleDefinition -Role $camCustomRoleDefinition
# or to save a new role
New-AzureRmRoleDefinition -Role $camCustomRoleDefinition
For more information on Microsoft's built-in roles, see Built-in roles for Azure role-based access control. You can monitor activity logs for any modifications to the role-based access control, see View activity logs for role-based access control changes To view a full list of options, you can run the following command(s):

# Eg, View All Actions
Get-AzureRmProviderOperation *
# Eg, View all Storage Actions
Get-AzureRmProviderOperation 'Microsoft.Storage/*'