Managing User Access to Specific Sites in the Azure Portal

If you’re part of a team of people working on one or more sites hosted in Azure Websites, you may want to provide one or more users with access to a site or a group of sites in the Azure Portal. You can make a user a co-admin on your subscription to achieve this, but in doing so, you are granting that user access to all services on your subscription. You also have no ability to restrict the level of access that the user has to those resources. While this situation might be acceptable to some, it certainly isn’t the best situation for team-based site development.

Azure Websites now integrates with the Role-Based Access Control (RBAC) feature in Azure, enabling you to have much greater control over whom you allow access to your resources and what level of access each person has. This feature (currently in preview) makes it easy to assign a user access to one or more of your resources by using one of three roles. (These are the three built-in roles provided during preview. In a later build, you’ll be able to define your own roles.)

• Owner - Has full admin access to the site and can perform all operations.
• Contributor – Can deploy code, start/stop the site, swap deployments, delete the site, etc. Cannot change pricing plan or perform some other admin functions.
• Reader – Can view the website in the portal, but cannot make any changes to it.

Note: In this blog post, I will show you how you can use RBAC to give other users access to a website. However, RBAC is much more flexible than that. You can give users access to an entire resource group, you can give groups access to resources, and you can give services access to another service using RBAC. See this documentation for more information.

Before we go into how you can use RBAC with Azure Websites, I need to give you a brief overview of how Azure Active Directory works within the Azure portal.

Azure Active Directory and the Azure Portal

Every Azure subscription has a directory in Azure Active Directory associated with it. By default, your account is the only user added to your directory. In many cases, your directory is only associated with your subscription. However, if you are in a team environment at a company, your company may provide Azure subscriptions that are all associated with a common directory. As we go through the scenarios in this post, I’ll explain how things may work differently based on how your Azure directory is set up.

All of the work we’ll do in this post is in the preview version of the Azure Portal. We use the terms lens, parts and blades to refer to elements within the preview portal. Figure 1 should help you to understand what these new terms refer to in the preview portal.

Figure 1 - Azure Portal User Interface Elements

With that out of the way, let’s walk through three scenarios where RBAC can help you control access to websites.

Note: The information given here applies only to the preview portal at https://portal.azure.com. The current release portal at https://manage.windowsazure.com does not support RBAC. Only subscription administrators and co-administrators can access and manage resources in the release portal.

Scenario 1: Give a User Full Control to Only One Website

Jim is the administrator of an Azure subscription that contains several websites used by many people in his company. Judy works with Jim, and Jim would like to allow Judy to manage a website named quake just as though she were an administrator on the subscription. However, he doesn’t want her to have the ability to manage any other resources on the subscription, so making her a co-admin isn’t a viable choice.

By adding Judy to the Owner role on the website, Jim can give her the access needed to the website without giving her access to any other resources on the subscription. Here’s how he can do that.

Giving Access to a Resource

1. Log into the Azure Preview Portal located at https://portal.azure.com.
2. Select the website to which Judy will be given access. If it’s not on your Startboard (your portal home screen), click on Browse and choose Websites to locate it.)
3. Scroll to the bottom of the website’s blade and locate the Access lens.
4. Click the Owner role in the Roles part as shown in Figure 2.

Figure 2 – The Roles Part in the Access Lens (Click on Owner as per Step 4.)

5. In the Owner blade, click on Add as shown in Figure 3.

Figure 3 – The Add button in the Owner Blade

6. In the Add Users blade, enter Judy’s email address.
7. One the email address is checked for validity, it will appear in the list of users. Click on it to select it. A checkmark will appear in the upper-right corner as shown in Figure 4.
8. Click on Select to add Judy as shown in Figure 4.

 

Figure 4 – Adding a User

Notice that in Figure 4, I was told that Judy isn’t in the "Jim Cheshire” directory. That means that my Azure subscription’s directory doesn’t already have Judy’s account added to it. That’s not a problem though. When I add her in RBAC to my website, it will automatically add her to my directory.

Because Judy was added to my directory, she is now part of at least two directories; the initial directory associated with her subscription and my directory to which I just added her. That’s important to know because it will impact how Judy can look at resources in the Azure Portal to which she’s been given access. I’ll explain more about that in the following section.

Managing a Resource in the Portal

Now that Judy has been given Owner access to my website called quake, she can manage that website in the Azure Portal just as though it were a website she created. However, remember that when I added Judy, she wasn’t initially in my directory.

When Judy logs into the Azure Portal, she’s logging into her own directory and she can see all of the resources that were created in that directory. The quake website, however, is in the “Jim Cheshire” directory and not in Judy’s directory. To see the quake website, Judy will have to switch directories. Here’s how she can do that.

1. Click the username button in the upper-right corner of the Azure Portal’s home page.
2. Click the desired directory. (In this case, it’s the “Jim Cheshire” directory.) See Figure 5.

 

Figure 5 – Switching Directories

In Figure 5, you can see that Judy’s directory is called “Default Directory”. We know from Step 7 above (and from Figure 4) that the directory Judy was added to in order to get access to the quake website is called “Jim Cheshire”. In Figure 5, you can see both the “Default Directory” directory and the “Jim Cheshire” directory in the menu. Once Judy selects the “Jim Cheshire” directory, she will see the quake website when she browses websites in the portal.

Note: If Judy and Jim were in the same shared directory, Judy would not have to switch directories. Instead, she would see the quake website right alongside of the websites she normally sees in the portal.

Let’s have a look at another scenario where RBAC might help you to manage access to your resources.

Scenario 2: Allowing a User to Deploy to a Site without Allowing Management Changes

Terry is another teammate of Jim’s. Terry is a developer and Jim wants to allow Terry to deploy new content to the quake website, swap deployment slots, modify application settings, etc. However, he wants to ensure that Terry doesn’t do something like change the pricing tier of the website. In this case, Jim should make Terry a Contributor to the site.

Note: To make someone a Contributor, follow the steps above, but click on Contributor in Step 4 instead of Owner.

Once Terry becomes a Contributor on the website, he can deploy content to the site and make general changes to the application. However, he cannot access usage information, change pricing plans, etc. As shown in Figure 6, these parts in the portal simply display “No Access” when Terry is viewing the website.

Figure 6 – Azure Portal Showing Access Restrictions

There’s one more scenario where RBAC can help you manage your websites.

Scenario 3: Giving a User Access to Monitor a Site without Allowing Any Changes

Sue is a teammate of Jim’s who is responsible for monitoring how much traffic the quake website receives. She’s also responsible for alerting the team if the site starts to throw errors. Jim wants to give Sue access to see the monitoring features for the site in the portal and also to see application settings and so forth, but he doesn’t want her to be able to deploy anything to the site, nor does he want her to be able to stop the site or delete the site.

In this scenario, Jim can give Sue Reader access to the site. By doing so, Sue can review the monitoring features in the portal and she can view application settings. However, she won’t be able to modify anything and she won’t be able to see sensitive things such as connections strings.

Changing a User’s Access

You might find that you want to change a user’s access level. For example, you might want to allow Sue to change some application settings, something she can’t do as a Reader. In order to allow this, you would need to make Sue a Contributor.

To change Sue’s access level from Reader to Contributor, you must remove her Reader access and then add her back as a Contributor.

1. On the website’s blade, click Reader in the Roles part as shown previously in Figure 2.
2. In the Reader blade, click on Sue’s entry as shown in Figure 7.

Figure 7 – Selecting Sue’s Account in the Reader Blade

3. In Sue’s user blade, click on Remove as shown in Figure 8.

Figure 8 – Removing a User

4. Add Sue back in the desired role.

Note: Because Sue is still in your directory, when you add her to the new role, you’ll be able to simply select her user instead of typing in her email address.

Removing a User’s Access

If you would like to remove a user’s access to a site, follow the steps outlined in the Changing a User’s Access section above. When you remove a user’s access, the change takes place immediately. If the user has the website open in the portal when you remove her access, she may see portal errors in the website’s blade.

Changing Your Directory’s Name

Remember when Judy had to switch directories (see Figure 5) in order to see the quake website? The directory name that she had to choose was named “Jim Cheshire”, not a very descriptive directory name. You might want to use a more descriptive name for your directory so that users who have access to your resources will have an easier time knowing which directory to choose in the portal. Here’s how you can change the name of your directory.

1. Browse to the current Azure portal at https://manage.windowsazure.com.
2. Scroll down and select Active Directory in the list of Azure services as shown in Figure 9.

Figure 9 – Azure Active Directory

3. Click on your directory as shown in Figure 10. (You may have more than one directory. Click on the one that you want to change.)

Figure 10 – List of Directories

4. Click Configure as shown in Figure 11 and enter a new name.
5. Click Save at the bottom of the screen to save your change.

Figure 11 – Changing a Directory Name

After making this change, Judy will see the new, more descriptive name in the Azure Portal as shown in Figure 12.

Figure 12 – The New Directory Name

I hope this post gets you started with using RBAC in the management of your websites. Look for more richness to be added to this feature as RBAC matures.

Comments

• Anonymous
  March 09, 2015
  The comment has been removed

• Anonymous
  March 12, 2015
  Hi, Subodh. Each Azure service team is responsible for implementing this into their service. I don't have any information on timelines for other Azure services.

• Anonymous
  May 14, 2015
  Hi Jim, Thanks for the nice article. I have understood the access control that is offered by Azure. If a user is given access as a Contributor or as a reader, that user is unable to connect to the website using Webmatrix. The user has to be made a co-admin for the subscriptions. If we do this, then the above roles are not effective. Am I missing something? Awaiting your response. Regards, Rahul

• Anonymous
  May 17, 2015
  Hi, Rahul. This functionality isn't currently available in WebMatrix. I have asked some folks about it to see if there are plans to add it, but no one has any information on those plans at this point.

• Anonymous
  September 01, 2015
  Hello Jim, In scenario 2, how exactly would Terry, as a contributor, deploy to a site? As far as I know, Visual Studio still relies publish settings files which require co-owner. And the portal, as far as I've seen doesn't have a built-in mechanism, which could conceivably support RBAC. Thanks, Mauricio

• Anonymous
  September 02, 2015
  Being a Contributor or Website Contributor gives you access to the Publish Profile. You can deploy using Web Deploy or FTP in Visual Studio. To use RBAC with VS, your customer should make sure to update to Azure SDK version 2.7.

• Anonymous
  October 27, 2015
  Hi Jim - my colleague used your article to set my azure account as owner on a web app and a sql database.  However I see no trace of those items in my Azure portal site.  Should I?  What is the best way for me to see which resources other team members have granted me access to?

• Anonymous
  October 27, 2015
  Hi, Brian. You might need to drop down the Subscriptions dropdown and add your colleague's subscription from the list. You should then be able to see it. If you click on All Resources in the portal, you'll be able to see all resources you have access to.

  • Anonymous
    May 12, 2016
    Thank you much. I was frustrated that I couldn't find all the subscriptions I have been added to under my account.The top right directory dropdown is what I was looking for. :) Thank you.

• Anonymous
  September 08, 2016
  Nice article Jim. Good to read the article from the other side of the fence :)