Hunting for Azure RBAC Permissions

A quick and alternative way to check for needed RBAC permissions using PowerShell

The following method can be used to discover the RBAC permissions needed to develop a custom role in Azure. Before we discover this method let us look at the Azure Security guidance from the Azure Security Compass (Slide 104) when it comes to using custom roles. We want to avoid custom roles as a default state for all users and groups permission sets and use built in roles that align close in addition with Azure Active Directory PIM if possible.

There will be possibly at times a need to build a custom role due to a Built In Role(s) not aligning to your organizational needs. When this does occur be sure to avoid unnecessary permissions with wild cards in certain permission sets and resource types.

You can leverage PowerShell when you want to find the granular permissions in addition to the Azure Portal UI for Custom Role designing.

Log into PowerShell with the account in question that cannot access or perform the operations or a dummy account with only reader access at Subscription level.

Login-AzAccount 

Start-Transcript -Path c:\temp\auditcmdlets.log

Set-AzStorageAccount -ResourceGroupName rgNSGFLOWPolicy -Name nsgflowpolicystore -EnableHttpsTrafficOnly:$false -Verbose -Debug

Stop-Transcript   

Leverage the start-transcript stop-transcript with commands you want to execute in the middle. Commands in the middle should have the switches -verbose -debug

Once completed open the log file and scroll to the error you can search for ‘authorization to perform action’ as well

Here we can now see that the user would need specific RBAC permissions of

'Microsoft.Storage/storageAccounts/write' over scope '/subscriptions/{SUBID}/resourceGroups/rgNSGFLOWPolicy/providers/Microsoft.Storage/storageAccounts/nsgflowpolicystore'