Azure offers various levels of roles that can be assigned to users. These range from the Reader role to Virtual Machine Contributor and even the ability to create custom roles specifically for users. The purpose of granting these permissions and restrictions is to enhance the security of your cloud environment.
In this blog post, I will demonstrate the process of creating a user and assigning them the Contributor role. Before we proceed, let's briefly explore the different levels of roles available in Azure.
Azure Active Directory roles
These are used to manage Azure AD resources in a directory such as creating or editing users, assigning administrative roles to others, resetting user passwords, managing user licenses, and managing domains
Job Function role
These are roles specifically designed to provide users with permission to perform particular job functions or tasks within the Azure environment. Examples of Job Function Roles include Reader, Network Contributor, Storage Account Contributor, and Virtual Machine Contributor.
Privileged Administrator Roles
These are high-level roles that provide users with high permissions to manage resources across the Azure environment. Examples are Owner, Contributor & User Access Administrator.
a) Owner
The owner role grants the user full access to manage all Azure resources. It also allows this user to assign roles to other users in Azure (Resource-based Access Control) RBAC.
b) Contributor
A user with a contributor role assigned to him can only manage resources. He cannot assign roles to other users.
c) User Access Administrator
From the word "access". This role allows the user to manage access to Azure resources only. They have no access to the actual resources themselves.
It should be noted that upon creation of an Azure account, you are automatically assigned an owner role and a user Access Administrator role.
How To Add a New User to Your Directory
Go to the Azure Portal, and search for "Azure active directory" or "Users"
Once you get to the Users page, Click on "New user"
You can either create a new internal user or invite an external user
This will lead you to the invite external user page. Input the external user email address and display name. You can also choose to send a message and copy a mail.
Click on "Next: Properties>"
On the properties page, you can input the user's identity, job information and so on.
Click on "Next: Assignments>"
On the Assignments page, you can choose to "Add group" or add "Add role".
Once you click on "Add role", you will be directed to this page below.
However, for this demo, I'm not adding any Directory roles to this user. So, I will skip this stage and move to review and create the page.
10.) Once you've reviewed it, click on "Invite". Your new user will get an email invitation to accept the invitation
11.) The user's name will appear on this page reflecting its display name, user principal name, user type, identity and so on
How to Assign Contributor Role to a User
Now that we've been able to add Yinka as a user, let's go to the Azure console and search for "Subscription".
Select your subscription.
On your subscription, click on "Access control (IAM)"
On the access control page, Click on "Add role assignment"
On the add role assignment page, click "privileged administrator roles"
Type "contributor" on the search bar and select it. Click on "Next".
Select the type of access you want to assign.
To add the user, click on "+Select members"
This will direct you to search for the name of the member you want to assign the contributor role.
Once you've selected your member it will appear as shown in the red box. Then click on "Select"
The member automatically appears on the Add role assignment page. Click "Review+assign"
On the review page, Azure warns of the type of permission we are granting this user (Yinka).
This proves to tell you that the 'contributor" role which is a privileged administrator role gains access to all resources in the subscription. Whereas, a job function role is given less access specified for the job
12.) Click the Review+assign button to assign the role.
To view the role assigned, you can go back to the Acess control (IAM) under your subscription.
13.) Click on "Role assignments" or click "View" on the "View access to this resources" box.
14.) You can see that "Yinka (Guest)" is assigned a contributor role. This way, he can create any resources under the owner's subscription with the exception of assigning roles.
I hope this blog helped you understand assignment of contributor role to a user. Thank you