Enabling RBAC (Role Based Access Control) to access a Virtual Machine on Microsoft Azure

Suppose you have the following request from one of your external consultants (I’ve got this request from one of my customers :) ): - I would like to access the Virtual Machine for administrative purposes, and I need to be able to shutdown (or start it)  it when needed. I only have a Microsoft Account, which is not integrated with your AD. Your VM is running on Microsoft Azure, and you don’t want to give access to all resources in your subscription. With the Azure Management Portal, the only possibility was to create a custom application (see an example here) using APIs and restrict access using a different interface. That’s because the old Azure portal only allows the possibility to add co-administrators, which could access to all services inside the subscription. Then Azure Active Directory has been launched, and with it also role based authentication features, together with the new Azure Portal, in preview today. RBAC is really a cool addition, that can cover most of the typical scenarios, including complex configurations via Azure PowerShell, Azure CLI or APIs. But let’s go back to our original request: you need to give access to a specific VM, including possibility to shutdown it, when needed. This can be achieved using the GUI, and below you could find the steps required. A few preliminary notes: NOTE1: to get detailed information on how RBAC works on Azure, please visit this page - https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/ NOTE2: RBAC only applies to Azure Portal (https://portal.azure.com ), and not to Azure Management Portal (https://www.windowsazure.com) . Administrators and co-admins in the Azure Management Portal will have access to all the resources and services in the Azure Portal. A user enabled with RBAC that it’s not added in the admin and co-admin area in the Azure Management Portal, won’t have access to all the resources inside the subscription, but only to resources and services to which he is enabled to. NOTE3: RBAC can be enabled via Azure Portal, Azure PowerShell, Azure CLI NOTE4: RBAC is based on Azure Active Directory. It is possible to enable access to external Microsoft Account users, which will become Guest Accounts in Azure Active Directory. 1 – Enable access to a Virtual Machine Select the Virtual Machine that has to be enabled for external access. Navigate to Settings and then to Users section. Select Add from the Users section. Under Select a role section, select Virtual Machine Contributor Add the Microsoft Account. You have the option to invite the account, if not already in the list of enabled accounts. In the image below you could find the result of the user assignment. 2 – External user access experience This is the user experience that francescodiaz@outlook.com will find after being enabled to the portal. As you can see, only the VM will be displayed in the list of resources. The external user has also the possibility to shutdown or restart the VM, if needed.   Conclusions This is the quickest way, and not the best, to give the access of a VM to an external user. For additional information, I recommend to visit this page, which contains a lot of useful details and best practices.   Ciao! Francesco @francedit