Introduction
In cloud environments, giving users excessive permissions can introduce major security risks. One of the key principles of cloud security is the principle of least privilege, where users receive only the permissions required to perform their tasks.
In this hands-on project, I implemented a custom Role-Based Access Control (RBAC) role in Microsoft Azure to allow a user manage virtual machines without granting full administrative access.
The custom role allowed the user to:
- Start virtual machines
- Stop virtual machines
- View virtual machines
While restricting the user from:
- Deleting virtual machines
- Modifying networking resources
- Assigning IAM roles
This project helped me gain practical experience with:
- Azure IAM and RBAC
- Custom role creation
- Least privilege security
- Resource Group scoped permissions
- Permission testing and validation
Scenario
The DevOps team required a user who could operate virtual machines for daily operational tasks without having permission to delete resources or manage access control settings.
Project Objectives
- Create a custom RBAC role
- Assign VM-specific permissions
- Restrict unnecessary privileges
- Assign role at Resource Group level
- Validate access using a test user
Environment Setup
- Resource Group
- Virtual Machine
- Test user (ops-user)
First we need to create our resource groups, to see guide on RG click the link below on one of our article on creating resource groups
Next is to create our user
we would be brief with this step
first search on the console search bar miscrosoft entra ID
Click on the results
Go to manage and click on users, create users
to see step by step guide on creating a user, click on the link below to see full details on creating a user
Next step is to Create the Custom Role:
To create the custome role follow below step
first go to the resource group created, click on access control (IAM), click on add, add custome role
Give the custom role a name, and description
Click on next
Click on add permission
since the role we want to assign is read (view), start and stop (deallocate)
we would would input this in the search for permission Microsoft.Compute/virtualMachines this allow us to have access to virtual machine control, click on the result microsoft compute then go further by adding /read to the path after clicking on the microsoft compute, select permission and click on add
The read permision will be added
we would do the same thing for start
we would click on add permision again, where we have search for a permission we would input this again Microsoft.Compute/virtualMachines and click on microsoft compute after then add /start to the path click on the permission start vm and add
this will add the start permission to the list of our created custom role
next is to create custom role to stop vm in azure it is not called stop but deallocate so we would do the same thing as we have been doing before click on add permison, paste Microsoft.Compute/virtualMachines in the in the search bar and click on miscrosoft compute add /deallocate to the path and select the permission, so this give it the power to stop the vm
Our permission should look like this
this add the read, start and stop power custome role, click next, asignable scope we leave it as defaults, then we have our json created
{ "properties": { "roleName": "VM Operator", "description": "The custom role allowed the user to:\n- Start virtual machines\n- Stop virtual machines\n- View virtual machines", "assignableScopes": [ "/subscriptions/732a7227-baa8-4458-8e10-4c85a2615397/resourceGroups/vm-Operator-rg" ], "permissions": [ { "actions": [ "Microsoft.Compute/virtualMachines/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/deallocate/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] }}
Click next and create
for security restriction, i intenstionally did not include
Microsoft.Authorization/*
Microsoft.Network/*
Microsoft.Compute/virtualMachines/delete
this prevented
- IAM modifications
- Network changes
- VM deletion we would now assign this role to our user ops-user, that we created at the reourse group level, this give the user power to start, stop and view vms's in this resource group For us to assign the role to our user we would go to our resource group vm-operator-rg, that we created click on add
click on add role assigment
on the role search for the custome role we created by typing the name we gave to it, vm operator and select the custome role
click on next
click on select member to add the user we want to give this permision to
select the user and click on select
click on next, then review + assign
we have succesfully created our custome role and assign it to a user
our user can start vm, view vm stop vm, but cannot delete vm or modify IAM
for us to practicalise some of the action we can log in to user ops-user account
first we try assign IAM to the vm from the ops-user account we can see that the add button is greyed there is no permission for the user to do this operation
also let us try and delete the vm
we can see we got an error trying to delete the vm
now let us try stop our running vm
It was a success because we gave the user the power to stop the vm
let us start our vm, we click on start
we succesfully started our vm
Key Security Lessons
Least privilege reduces security risk
Custom roles provide granular control
Resource Group scope limits exposure
Built-in roles may provide excessive permissions
Conclusion
This project demonstrated how custom RBAC roles can be used to enforce least privilege access in Azure environments. Instead of assigning broad built-in roles, custom permissions allowed secure delegation of operational tasks while protecting critical infrastructure and access control configurations.
Thanks for reading
Top comments (0)