Azure Firewall Role-Based Access Control

Role-based access control in Azure allows you to control fine-grained permissions to specific resources. In the scenario of controlling Azure Firewall, you would need to have custom role definition to give which permission to whom.

In this article, let’s have a look at Azure Firewall actions you can control in your cloud environment.

Before constructing a role definition, you need to know what kind of operation that support on Azure Firewall. Run the following PowerShell to get the list of operations”

Get-AzureRMProviderOperation "Microsoft.Network/azurefirewalls/*" | fl Operation

The result shows you three operations:

  • Microsoft.Network/azurefirewalls/read : allows to read Azure Firewall resource information, including rules, property, general information under Overview blade.
  • Microsoft.Network/azurefirewalls/write : this operation basically allows to create and update Azure Firewall including resource and rule.
  • Microsoft.Network/azurefirewalls/delete : allows to delete Azure Firewall resources.

You may like to learn about Azure Firewall Monitoring here.

Depending on your cloud governance, role definition may vary. Here is what I’d propose to keep fine-grained permission for the people who operate your Azure Firewall.

    "Name": "SecOps Firewall Operation Role",
    "ID": "XXX",
    "IsCustom": true,
    "Description" : " This role is used to assign to SecOps Firewall Operation team",
    "Actions" : [
    "NotActions": [],
    "DataActions": [],
    "NotDataActions": [],
    "AssignableScopes" : [

The role definition gives the assigned group or person the ability to authorize Azure resource, to query Activity Log and to control Azure Firewall. Microsoft.Support/*  is an additional permission if you’d like to allow your team to create support ticket to Microsoft.

To create the custom role and assign it to an existing group (e.g SecOps), run the following PowerShell script

$groupName = "SecOps"
$roleDefName = "SecOps Firewall Operation Team"
$scope = "/subscriptions/262d0040-89cf-4f3d-12b7-d6bae0017192"
$group = Get-AzureRmADGroup -DisplayName $groupName

New-AzureRmRoleDefinition -InputFile "C:\azure\firewall-rbac.json"
New-AzureRmRoleAssignment -ObjectId $group.Id -RoleDefinitionName $roleDefName -Scope $scope


This entry was posted in Identity & Access Control, Security Operation and tagged , . Bookmark the permalink.

1 Response to Azure Firewall Role-Based Access Control

  1. Pingback: Azure Firewall (Public Preview) Automation – Part 1 | All about security on Microsoft Azure

Leave a Reply

Your email address will not be published.