AZ-500 Entra ID – Role Based Access Control Lab (portal, powershell, bash)

source: AZ500-AzureSecurityTechnologies

  • Create a Senior Admins group containing user account Joseph Price as its member (Azure portal)
  • Create a Junior Admins group containing the user account Isabel Garcia as its member (PowerShell)
  • Create a Service Desk group containing the user account of Dylan Williams as its member. (Bash)
  • Assign the Virtual Machine Contributor role to the Service Desk group.

Exercise 1: Create the Senior Admins group with the user account Joseph Price as its member using the Azure Portal

Task 1: Create new user Joseph Price

On the Azure Portal go to Entra ID > click Users > click New user > select Create new user


enter the following: (make sure Auto-generate password is enabled)

Click review and create the new user.

Task2: Create a Senior Admins group and add the user account of Joseph Price to the group.

On the Azure Portal go to Entra ID > click Groups > click New Group

Enter the following:

Group type: Security

Group name: Senior Admins

Membership type: Assigned

Owner: Joseph Price

Members: Joseph Price

Exercise 2: Create a Junior Admins group containing the user account of Isabel Garcia as its member using PowerShell on Cloud Shell

Task 1: Use PowerShell to create a user account for Isabel Garcia.

Open Cloud Shell by selecting it from the right top corner and select PowerShell

we will create a password profile object with the following command

$passwordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile

we will define the following values of the password profile object

$PasswordProfile = @{
  Password = 'Helo123!'
  ForceChangePasswordNextSignIn = $true
  ForceChangePasswordNextSignInWithMfa = $true
}

connect it to Entra ID with the following command

Connect-MgGraph -Scopes "User.ReadWrite.All", "Group.ReadWrite.All", "AuditLog.Read.All", "RoleManagement.Read.Directory"

**If Microsoft Graph command line tool is not yet connected to Entra ID you will be prompted to authenticate and grant permissions for the app to modify RBAC settings, make sure the user you authenticate has the correct assigned role (application administrator)

We will run the following command to create a variable named domainName which will contain our actual domain name and this variable will be used in the next command

$domainName = ((Get-MgOrganization).VerifiedDomains)[0].Name

You can use echo $domainName to verify the domain name


Run the following to install Microsoft Graph Users module

Install-Module Microsoft.Graph.Users


We will need to grants the Microsoft Graph application permission to access directory information on behalf of the signed-in user by running the following:

Connect-MgGraph -Scopes "Directory.AccessAsUser.All"

**for the next step make sure the user you authenticated with has the correct assigned role (user administrator)

We will create a user account for Isabel Garcia with the following command

New-MgUser -DisplayName 'Isabel Garcia' -PasswordProfile $passwordProfile -UserPrincipalName "Isabel@$domainName" -MailNickName 'Isabel' -AccountEnabled

Lastly, run the following to list Microsoft Entra ID users (the accounts of Joseph and Isabel should appear on the listed):

Get-MgUser

Task2: Use PowerShell to create the Junior Admins group and add the user account of Isabel Garcia to the group.


Lets create Junior Admins group and add the user account of Isabel Garcia to the group by using PowerShell, run the following to create a new security group named Junior Admins:

New-MgGroup -DisplayName "Junior Admins" -MailEnabled:$false -SecurityEnabled:$true -MailNickName JuniorAdmins

we will set the variable $user to obtain a reference to the user account of Isabel Garcia:

$user =Get-MgUser -Filter "MailNickName eq 'Isabel'"

we will set the variable $targetGroup to obtain a reference to the Junior Admins group:

$targetGroup = Get-MgGroup -ConsistencyLevel eventual -Search '"DisplayName:Junior Admins"'

Now we can run the following to add the user account of Isabel to the Junior Admins group:

 New-MgGroupMember -DirectoryObjectId $user.id -GroupId $targetGroup.id

Exercise 3: Create a Service Desk group containing the user account of Dylan Williams as its member using Azure CLI

Task 1: Use Azure CLI to create a user account for Dylan Williams.

Open Cloud Shell by selecting it from the right top corner and select Bash

We will set the variable DOMAINNAME to identify the name of your Microsoft Entra tenant:

DOMAINNAME=$(az ad signed-in-user show --query 'userPrincipalName' | cut -d '@' -f 2 | sed 's/\"//')

run the following to create a user, Dylan Williams:

az ad user create --display-name "Dylan Williams" --password "Pa55w.rd1234" --user-principal-name Dylan@$DOMAINNAME

run the following to list Microsoft Entra ID user accounts (the list should include user accounts of Joseph, Isabel, and Dylan)

az ad user list --output table

Task 2: Use Azure CLI to create the Service Desk group and add the user account of Dylan to the group.

run the following to create a new security group named Service Desk:

az ad group create --display-name "Service Desk" --mail-nickname "ServiceDesk"

we will run the following to list the Microsoft Entra ID groups (the list should show Service Desk, Senior Admins, and Junior Admins groups):

az ad group list -o table

We will set the variable USER as a  reference to the user account of Dylan Williams:

USER=$(az ad user list --filter "displayname eq 'Dylan Williams'")

Run the following to obtain the objectId property of the user account of Dylan Williams:

OBJECTID=$(echo $USER | jq '.[].id' | tr -d '"')

Run the following to add the user account of Dylan to the Service Desk group:

az ad group member add --group "Service Desk" --member-id $OBJECTID

Exercise 4: Assign the Virtual Machine Contributor role to the Service Desk group.

Task 1: Create a resource group

click on the azure portal menu and select Resource groups > Create

use the following values, select review and create

Subscription namethe name of your Azure subscription
Resource group nameAZ500Lab01
LocationEast US

Go to the newly created resource group > AZ500Lab01 > Access Control (IAM) > select Role Assignments > click + Add > Add role assignment

use the following values and click review and assign:

Role in the search tabVirtual Machine Contributor
Assign access to (Under Members Pane)User, group, or service principal
Select (+Select Members)Service Desk

We can now check access to the resources on resource group AZ500Lab01 by using the check access tool

We can enter Dylan Williams and we can see this user has the Virtual Machine Contributor role under the Service Desk group.

We can enter Joseph Price and we can see this user has no access to this resource

We can now use Azure CLI to cleanup resource group created for this lab by running the following Powershell line:

Remove-AzResourceGroup -Name "AZ500LAB01" -Force -AsJob
Author: user

Leave a Reply

Your email address will not be published. Required fields are marked *