Skip to content

AAD Rbac Issue Investigation

Jump to bottom
Suwat Ch edited this page Jan 9, 2017 · 12 revisions
  • Overview

Rbac (Role-based access control) is used to determine if a user or service principal can perform an operation on a resource. Let's review each terms.

  • List current user permissions

Before jumping to detail investigations, you may want to try to list the user permissions for the resource. The authorization engine iterates and unions (OR) all matching role definitions. If one of them is allowed, the end result is allowed (independent of role definition order). Within a role definition, the notActions is checked first, if matched, it will result to NOT allowed. Then, the actions is checked, if matched, it will result to allowed. Other than that, it will result to NOT allowed.

ARMClient.exe get "/subscriptions/%sub%/resourceGroups/%rg%/providers/Microsoft.Web/sites/%site%/providers/Microsoft.Authorization/permissions?api-version=2015-07-01"
  • What is a user?

A user is an entity created under an AAD directory (aka. tenant or tid). It has a set of properties like name, first name, email, etc. It is uniquely identified by an objectId (guid); sometimes the terms oid and principalId are also used. The tenant, where user is originally created, is called home tenant. The same user can be added to other tenants; in this case, it becomes foriegn entity. The user is given different objectId for different tenant.

// To see your oid
ARMClient.exe token

// To see your oid in different tenant
ARMClient.exe token %tid%

// To see all tenants you belong to
ARMClient.exe get "https://management.azure.com/tenants?api-version=2014-04-01"

// To get user details
ARMClient.exe get "https://graph.windows.net/%tid%/users/%oid%?api-version=1.2-internal"
  • What is a service principal?

A service principal is an entity created under an AAD directory's application. It is uniquely identified by an objectId (guid).

  • What is a group?

A group is an entity created under an AAD directory. It has a set of properties like group name, etc. It is uniquely identified by an objectId. The group has members which is a collection of users or service principals.

// To see what groups a user belong to
ARMClient.exe post "https://graph.windows.net/%tid%/users/%oid%/getMemberGroups?api-version=1.2-internal" "{securityEnabledOnly:false}"

// To get group details
ARMClient.exe get "https://graph.windows.net/%tid%/groups/%oid%?api-version=1.2-internal"

// To get group members
ARMClient.exe get "https://graph.windows.net/%tid%/groups/%oid%/$links/members?api-version=1.2-internal"
  • What is an operation?

The operation is an action; for instance, read, write etc.

  • What is a resource?

In this context, the resource is an ARM resource identified by a url. For instance, https://management.azure.com/subscriptions/%sub%/resourceGroups/%rg%/providers/Microsoft.Web/sites/%site% represents Azure WebApp resource.

  • What is a authorization policy?

The authorization policy contains a description about what users can perform what operations on what resources. Lacking of, a user will be denied access. The policy is represented by role definitions and role assignments.

  • What is a role definition?

A role definition describe what role can perform what operations/actions. For instance, "Website Contributor" role have full permissions to "WebApps resource type" (Microsoft.Web/sites/*).

// To get role definitions for a resource
ARMClient.exe get "https://management.azure.com/subscriptions/%sub%/resourceGroups/%rg%/providers/Microsoft.Web/sites/%site%/providers/Microsoft.Authorization/roleDefinitions?api-version=2015-07-01"

// role definition sample for Website Contributor
{
  "roleName": "Website Contributor",
  "type": "BuiltInRole",
  "description": "Lets you manage websites (not web plans), but not access to them.",
  "assignableScopes": [
    "/"
  ],
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/components/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Web/certificates/*",
        "Microsoft.Web/listSitesAssignedToHostName/read",
        "Microsoft.Web/serverFarms/join/action",
        "Microsoft.Web/serverFarms/read",
        "Microsoft.Web/sites/*"
      ],
      "notActions": []
    }
  ],
  "createdOn": "0001-01-01T08:00:00Z",
  "updatedOn": "2016-05-31T23:14:06.5272742Z",
  "createdBy": null,
  "updatedBy": null
}
  • What is a role assignment?

A role assignment describe what users/service principals/groups belong to what role definitions for what resources (scope). For instance, user with objectId "foo" belongs to "Website Contributor" role for "bar" resource. In a way, it means a user "foo" has full permissions on "bar" WebApp resource.

A user or service principal can also be giving permissions via group. For instance, a group with objectId "foo" belongs to "Web Site Contributors" role for "bar" resource. In a way, it means any user in "foo" group has full permissions on "bar" WebApp resource.

// To get role assignments for a resource
ARMClient.exe get "https://management.azure.com/subscriptions/%sub%/resourceGroups/%rg%/providers/Microsoft.Web/sites/%site%/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01"

// role assignment sample
// To interpret, the user or group (11b067db-6955-4cba-884a-012578e5bd5f) is a Website Contributor  for /subscriptions/abcdef26-e78f-41b7-9e94-df4e34ddcecd/resourceGroups/testrg resource group.
// Looking at Website Contributor role, this user will have full permission to all WebApp resources under such resource group.
{
  "properties": {
    "roleDefinitionId": "/subscriptions/abcdef26-e78f-41b7-9e94-df4e34ddcecd/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", // Website Contributor
    "principalId": "11b067db-6955-4cba-884a-012578e5bd5f", // this is user or group
    "scope": "/subscriptions/abcdef26-e78f-41b7-9e94-df4e34ddcecd/resourceGroups/testrg", // resource
    "createdOn": "2016-11-30T16:09:18.6938852Z",
    "updatedOn": "2016-11-30T16:09:18.6938852Z",
    "createdBy": "25fca160-1e0b-4d52-9a3a-3c7f0decba23",
    "updatedBy": "25fca160-1e0b-4d52-9a3a-3c7f0decba23"
  },
  "id": "/subscriptions/4e1a6126-e78f-41b7-9e94-df4e34ddcecd/resourceGroups/testappdebug/providers/Microsoft.Authorization/roleAssignments/1e4b7da1-d6d3-4360-abc3-e16dd7b1077c",
  "type": "Microsoft.Authorization/roleAssignments",
  "name": "1e4b7da1-d6d3-4360-abc3-e16dd7b1077c"
}
  • Investigate issue

First step, check if a user or groups that user belongs to is defined in role assignment. If not, the permission will be denied. If yes, check what role definition is associated for that assignment. That will determine what permissions a user can do on what resource.

Clone this wiki locally