Simplified Role Management: Azure REST API for User and App Registration Roles

Introduction

In modern cloud computing, managing access and permissions to resources is crucial to maintaining security and governance in Azure. To programmatically manage RBAC roles and permissions, developers can leverage the power of Azure’s REST API. Before using APIs to create and assign the custom roles to users or principals present in Azure subscription, do the below 2 steps for granting the permissions to the App Registration.

Whether App Registration has been assigned with a role having necessary authorization permissions to that same subscription or not, as this will be using the Secret Value (part of the four required IDs) in the REST API that generates from the App Registration itself. (Steps detailed below)
Check whetherAuthorization service resource provider is registered or not. If not registered, we need to register it on the Subscription Page, as shown below.

Assign the Custom RBAC Role to the Principal ID of App Registration

Follow the below steps to assign the custom RBAC role to App Registration in the portal.

Go To Subscription Resource -> Click on IAM in the left panel -> Click on Add custom role as below.

rbac

2. After clicking Add custom role, it will be redirected to a new page for creating a custom role. Give a sample role name in Basics Tab -> go to the Permissions Tab -> click on Add Permissions -> search for Authorization permission -> Select all below permissions as shown in the below image.

Microsoft.Authorization/roleDefinitions/read 
Microsoft.Authorization/roleDefinitions/write 
Microsoft.Authorization/roleAssignments/read 
Microsoft.Authorization/roleAssignments/write

Microsoft.Authorization/roleDefinitions/read

Microsoft.Authorization/roleDefinitions/write

Microsoft.Authorization/roleAssignments/read

Microsoft.Authorization/roleAssignments/write

rbac2

3. Click on Review+Create. So custom role will get created in the category of custom role.

4. Now, Assign the newly created custom RBAC role to the principal id of App Registration.

Click on Add role assignment.

rbac4

5. Search for the custom role created in step 3 -> click Next.

rbac5

6. Go to the Members Tab -> Click on Select members -> Now search for the App Registration name in the search bar for which we wanted to assign the custom role. -> click on Select -> Click on Review + assign.

rbac6

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Steps to Check the Service Based Resource Providers Registered

Go to Subscriptions -> Click on Resource Providers in the Left Panel -> Check Microsoft.Authorization is Registered or not.

resource

Generate Bearer Token Using Tenant ID, Client ID & Secret Value

https://login.microsoftonline.com/<tenant id>/oauth2/token
Paste the above URL with the Tenant ID in Postman Application
Go to Body -> select x-www-form-urlencoded and provide the below body as Key and Value pair

Ex: Provide grant_type as Key and client_credentials as Value

grant_type :  client_credentials
client_id :  "<Client ID>”
client_secret :  ”<Secret Value>”
resource: https : //management.azure.com/

grant_type : client_credentials

client_id : "<Client ID>”

client_secret : ”<Secret Value>”

resource: https : //management.azure.com/

bearer

4. The above API request will respond in JSON format, passing the value of the access_token key as a bearer token in all the REST API operations.

Create the Custom Role Using Azure REST API

Use the REST API below to create the custom role, replace the value of the subscription ID and use the PUT

https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{UUID}?api-version=2022-04-01

Use the link below to generate a new UUID, use the same API, and request body value.

Online UUID Generator Tool

Go to Headers and provide the data below as key and value pair.

Content-Type: application/json
Authorization: Bearer <paste the generated bearer token in the previous step>

1 2	Content-Type: application/json Authorization: Bearer <paste the generated bearer token in the previous step>

Provide the sample API Request body below in the Body -> select raw.

{
    "name": "<UUID Value which you generated>",
    "properties": {
        "roleName": "readonly_role_user",
        "description": "This role is created using REST API",
        "type": "CustomRole",
        "permissions": [
        {
            "actions": [
                "*/read"
                
            ],
            "notActions": []
        }
        ],
        "assignableScopes": [
        "/subscriptions/<subscriptionId>"
        ]
    }
    }

{

"name": "<UUID Value which you generated>",

"properties": {

"roleName": "readonly_role_user",

"description": "This role is created using REST API",

"type": "CustomRole",

"permissions": [

{

"actions": [

"*/read"

"notActions": []

}

"assignableScopes": [

"/subscriptions/<subscriptionId>"

]

}

Now, click on Send in the same request and get an appropriate response with the same rolename as the sample response below.

{
    "properties": {
        "roleName": "readonly_role_user123",
        "type": "CustomRole",
        "description": "This role is created using REST API",
        "assignableScopes": [
            "/subscriptions/<your subscription id>"
        ],
        "permissions": [
            {
                "actions": [
                    "*/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ],
        "createdOn": "2023-07-18T06:00:15.2547378Z",
        "updatedOn": "2023-07-18T06:00:15.2547378Z",
        "createdBy": null,
        "updatedBy": "4adee83f-2a94-4507-bb62-7c1d7f802a50"
    },
    "id": "/subscriptions/<your subscription id>/providers/Microsoft.Authorization/roleDefinitions/40182542-2530-11ee-be56-0242ac120002",
    "type": "Microsoft.Authorization/roleDefinitions",
    "name": "40182542-2530-11ee-be56-0242ac120002"
}

{

"properties": {

"roleName": "readonly_role_user123",

"type": "CustomRole",

"description": "This role is created using REST API",

"assignableScopes": [

"/subscriptions/<your subscription id>"

"permissions": [

{

"actions": [

"*/read"

"notActions": [],

"dataActions": [],

"notDataActions": []

}

"createdOn": "2023-07-18T06:00:15.2547378Z",

"updatedOn": "2023-07-18T06:00:15.2547378Z",

"createdBy": null,

"updatedBy": "4adee83f-2a94-4507-bb62-7c1d7f802a50"

"id": "/subscriptions/<your subscription id>/providers/Microsoft.Authorization/roleDefinitions/40182542-2530-11ee-be56-0242ac120002",

"type": "Microsoft.Authorization/roleDefinitions",

"name": "40182542-2530-11ee-be56-0242ac120002"

}

Assign the Custom Role to Principal ID Using Azure REST API

Use the REST API below to assign the user’s custom role, replace the value of the subscription ID and use the PUT

https://management.azure.com/subscriptions/{subscriptionID}/providers/Microsoft.Authorization/roleAssignments/{UUID}?api-version=2022-04-01

Use the link below to generate one newer UUID, use the same value in the above API, and use the UUID of created custom role for which we have used to create the role and pass the same in the request body.

Online UUID Generator Tool

Go to Headers and provide the data below as key and value pair.

Content-Type: application/json
Authorization: Bearer <paste the generated bearer token in the previous step>

1 2	Content-Type: application/json Authorization: Bearer <paste the generated bearer token in the previous step>

Provide the sample API Request body below in the Body -> select raw.

{
      "properties": {
        "roleDefinitionId": "/subscriptions/{subscriptionID}/providers/Microsoft.Authorization/roleDefinitions/{use UUID of created role } ",
        "principalId": "{ObjectID of User}"
      }
    }

{

"properties": {

"roleDefinitionId": "/subscriptions/{subscriptionID}/providers/Microsoft.Authorization/roleDefinitions/{use UUID of created role } ",

"principalId": "{ObjectID of User}"

}

Use the object ID of any user in an organization or tenant level and replace it with the UserID for whom you will assign this created custom role in the previous step.
Now, click Send in the same request and get an appropriate response with the same rolename as shown below.

{
    "properties": {
        "roleDefinitionId": "/subscriptions/<your subscriptionID>/providers/Microsoft.Authorization/roleDefinitions/40182542-2530-11ee-be56-0242ac120002",
        "principalId": "<principalID of an User>",
        "principalType": "User",
        "scope": "/subscriptions/<subscriptionID>",
        "condition": null,
        "conditionVersion": null,
        "createdOn": "2023-07-18T06:05:15.0772903Z",
        "updatedOn": "2023-07-18T06:05:15.8182412Z",
        "createdBy": null,
        "updatedBy": "4adee83f-2a94-4507-bb62-7c1d7f802a50",
        "delegatedManagedIdentityResourceId": null,
        "description": null
    },
    "id": "/subscriptions/<subscriptionID>/providers/Microsoft.Authorization/roleAssignments/40182a42-2530-11ee-be56-0242ac120002",
    "type": "Microsoft.Authorization/roleAssignments",
    "name": "40182a42-2530-11ee-be56-0242ac120002"
}

{

"properties": {

"roleDefinitionId": "/subscriptions/<your subscriptionID>/providers/Microsoft.Authorization/roleDefinitions/40182542-2530-11ee-be56-0242ac120002",

"principalId": "<principalID of an User>",

"principalType": "User",

"scope": "/subscriptions/<subscriptionID>",

"condition": null,

"conditionVersion": null,

"createdOn": "2023-07-18T06:05:15.0772903Z",

"updatedOn": "2023-07-18T06:05:15.8182412Z",

"createdBy": null,

"updatedBy": "4adee83f-2a94-4507-bb62-7c1d7f802a50",

"delegatedManagedIdentityResourceId": null,

"description": null

"id": "/subscriptions/<subscriptionID>/providers/Microsoft.Authorization/roleAssignments/40182a42-2530-11ee-be56-0242ac120002",

"type": "Microsoft.Authorization/roleAssignments",

"name": "40182a42-2530-11ee-be56-0242ac120002"

}

Conclusion

Developers can leverage the Azure REST API for creating and assigning roles to users or principal ID of an App Registration. This would also be the best way to implement this in the prospect of application. This REST API plays a crucial role in managing the access and permissions to resources from the user at the subscription level.

Drop a query if you have any questions regarding Azure REST API and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

To get started, go through our Consultancy page and Managed Services Package that is CloudThat’s offerings.

FAQs

1. Can we assign the same role to multiple users with the same steps above?

ANS: – Yes, we need to use the assigned role REST API to assign one more user, get the new principal ID of any user and replace it in the request body.

2. Can we create the roles based on the permissions to what resources we want to give?

ANS: – Yes, we must give those conditions in the actions key to creating a role sample request body.

WRITTEN BY Sridhar Andavarapu

Sridhar works as a Research Associate at CloudThat. He is highly skilled in both frontend and backend with good practical knowledge of various skills like Python, Azure Services, AWS Services, and ReactJS. Sridhar is interested in sharing his knowledge with others for improving their skills too.