Skip to main content
If you’re looking to manage permissions and access within your Azure environment, RBAC will be your friend. So what exactly is Azure RBAC? It is a system that helps you to manage who has access to your Azure resources, what they can do with those resources, and what areas they have access to. It provides a fine-grained access management to better enforce your organization’s security policies. Let’s talk about some key terms that you hear often. So whenever we think about Azure RBAC, the first thing that comes to your mind will be who. So who refers to a security principal, as in who will get the access. So any identity which is requesting for access. It could be a user, group, service principal, or a managed identity. Second is what. What refers to what permissions you want to give to the security principal. So the what is defined using something called role definition, which defines a set of operations that a particular role can perform. This is written in JSON format. Lastly, where. Where exactly do you want to give the role for the user or the security principal. That’s what we call Azure scope. This is a limit of access which defines a boundary, for example, to a Resource Group, to a virtual machine, to a database. All this is considered as a scope. So if we combine this together, we will get something called a role assignment. When we attach a role definition to a service principal at a particular scope, then it becomes a role assignment. Maximum you can have up to 2000 role assignments in each subscription. Always follow the principle of least privilege whenever you’re assigning the permissions. Also, you can make use of privileged identity management when you’re working with Azure RBAC. So we don’t want to give permanent direct access to our resources. Instead, the access will be provided through Privileged Identity Management. In Azure Active Directory, we studied about different security principles, right? How a user works, how groups work, service principal, et cetera. And we already know what the scope is. So that’s why we learned about hierarchy. You have management groups, subscriptions, resource groups, resources. Something that is missing is a role definition. So let’s just double click on that and understand more about this. So in Azure, you have built-in roles. These are the roles that are supplied with Azure out of the box, like Owner, Reader, Contributor, et cetera. And you also have very specific roles limited to certain services like Virtual Machine Contributor, Storage Blob Contributor, et cetera. Also, you can come up with custom roles. It’s not necessary that you have to go with the built-in roles. Let’s say your organization requires a very fine-tuned role for your users, then you can create custom roles. Basically, this is how a role definition will look like. And this is the role definition for the Contributor role. You can see that the name is Contributor. There will be a unique Object ID that is assigned. Is custom is set to false because it’s not a custom role. It’s a built-in role from Azure. And it has a description where it says grants full access to manage all resources, but does not allow assigning roles in Azure RBAC. In actions, you can see that there is an asterisk that means everything is allowed. Not actions, you have certain things like Microsoft.Authorization slash delete, Microsoft.Authorization write, elevate access, et cetera. So basically, this is the contributor role definition where the contributor will be able to do everything, but the user will not be able to assign roles in Azure RBAC. That’s why you see that authorization provider. Also, there are some limitations on the blueprint. And also, share image galleries. That’s why you have Microsoft.Compute slash gallery slash share slash action there. Data actions, no data actions usually come into picture if you’re dealing with the storage role on what permissions the user should have on the data plane. And finally, assignable scopes, which all scopes you can assign. The slash denotes root. That means anything under the root can use this role. So this is how the role definition looks like. Now, let’s just see what are the built-in roles available in Azure. Then we will go to Azure portal and see how we can assign the roles. So built-in roles are roles offered by Azure, which we can assign to users, groups, service principals, and managed identities. Here are the fundamental roles that you need to be aware of. First one is owner. This has full access to all resources and can delegate access to other users. For example, if I am the owner of a resource, say a virtual machine, I will be able to make other people owners, contributors, readers, or any other role that I want. Basically, I will be able to delegate access to other users. Next is Contributor. We have already seen the definition of contributor in the previous slide. Contributor can create and manage all types of resources, but cannot grant access to others. If I’m a contributor, I will not be able to make another person a contributor or an owner. If you need to get access to something, you should get in touch with the owner. Next is the Reader. As the name implies, Reader has read access to all resources, no permission to make changes to the resources. Also, the reader will not be able to see sensitive information like connection strings, account keys, API keys, etc. That will be only visible to owner and contributor. Last but not least, we have User Access Administrator. This user has access to Azure resources. To a certain level only. That means the user can provide access to other users. It’s more like a delegation role. If I’m a User Access Administrator, I’ll be able to give access to other permissions, but I will not be able to manage the resources. If I’m able to manage the resources, that essentially becomes an owner. So User Access Administrator is more like an owner without the permission to manage the resources. We already covered scope in understanding hierarchy, but I want to bring this topic again so that you understand this clearly and you don’t forget this. So at the top, we have the management group, then the subscription, resource group, and finally resources. So if you assign a role at the management group, that will be inherited to the subscription, resource group, and resources. Similarly, if you assign a role at the subscription level, that will be inherited to the Resource Group and resources. Likewise, if you apply at the Resource Group level, that will be inherited to the resources. This is how the scope works. So don’t forget the scope because this has a lot of importance in policies as well as in RBAC. I hope that’s clear. Now we will go to Azure portal and see how we can assign these permissions and how we can set up a custom role if required. So we are in Azure portal. Now what I will do is I’ll simply go to this Resource Group. Unfortunately, the subscription is disabled, so we’ll not be able to make any changes. So what I’ll do is I’ll create a new resource group here. I’ll call it as AC Demo RBAC, and I’ll place it in East Europe. I’m not gonna add any resources, so I’ll just simply use the name of the Resource Group. Create this resource group. So the resource group is created. If I just refresh this, or I can go to the resource group here. On every scope where you can assign RBAC, you will see this access control IAM blade. All you have to do is just click on that and you will be able to check access and view your access. You will be able to check access for other users as well, but you can go to role assignments. This is where you’ll be able to see all the roles. For example, my account is an Owner, but I don’t have the Owner role at this Resource Group level, but I have a role at the Subscription level and it is inherited. So remember the hierarchy. If you give the permission at the very top, like at the management group, that will get inherited to all the underlying resources, including subscriptions, Resource Groups, and your Azure resources. So RBAC goes with inheritance. Similarly, if I apply RBAC at the Resource Group level, all the resources inside that Resource Group will get that permission. So if I want to add a role, I’ll click on Add Role Assignment. I have to choose a role here. You can see there are a lot of built-in roles available specific to every resource. For example, you can see there is an ACR delete, ACR image signer. This is for Azure Container Registry. There are some roles for Attestation Contributor, Attestation Reader. This is for attestation purposes. You have an automation job, automation contributor. This is for automation account. So for every resource, there will be certain roles available because we don’t want to give owner or contributor to everyone. We follow the principle of least privilege. So if someone just needs to create and manage jobs in Azure Runbooks in the automation account, this is the role I’ll be giving instead of giving a privileged role. So this view gives you job function role, which basically targets certain jobs, but you have privileged roles as well, like Owner, Contributor, et cetera. So if I want to give a Reader role, for example, I’ll click on Reader, click on Next. This is where I’ll select members, the users that I want to give the role to. So in the first place, this is the role definition, what exactly we need to give. And in the next page, this is where we set rules. And we already decided where, because where is a scope and we know it is going to be the Resource Group. So I’ll just select users that I want to give read access to and I’ll select Next, Review and Assign. And you can see that these users have been added as a reader here. And the scope is this resource. Whenever you see this resource, you have to look at here to understand what this resource is. Now let’s say inside this Resource Group, what I’ll do is I’ll create a Virtual Network. For example, so I’ll choose that subscription and the Resource Group. I’ll say demo VNet, review and create. I will not look in the address space and all which is not required at this point. So I’ll just skip that and I’ll create this virtual network. So I’ll click on create and the virtual network will be created right now. The deployment is in progress. Okay, the resource has been created. If I click on go to resource that will take me to the Virtual Network. In the virtual network also, you will see this access control IAM because this resource or this level supports Azure RBAC. So I’ll click on that, I’ll take a look at the role assignments. Obviously, my name will be there because it is inherited from the subscription. You can see other users, which we added as readers and you can see the scope. This is coming from the Resource Group. So this is not assigned directly to the resource. It is assigned to the Resource Group and got inherited. Similarly, I can go to Management Groups as well. For example, IT here, I can go to access control IAM. I’ll be able to add a role assignment here. So it says I’m the owner for this one. and I have given this permission at this resource level, I have the permission. I can add more users, owners, readers, whatever role I want here and all subscriptions under IT will get that permission inherited. This is how RBAC works. Let’s say you want to come up with a custom role. You’re not happy with the built-in roles. So you can click on add and you’ll see add custom role. Earlier, a couple of years back, we used to write JSON for this and create this from PowerShell or CLI. Now the portal supports creation of custom roles. Now I can give a name. I’ll add CR just for me to understand that it’s a custom role. I’ll say this is VM App Operator, something like that. I can give a description. If I need, it will be very helpful for someone who wants to assign this role. I can clone an existing role, a built-in role. I can start from scratch or I can start from JSON. I’ll use start from scratch because we get the option to choose the permissions from here. I can click on add permissions. You’ll see all services here. For example, if I want to see Virtual Machine related permissions, you can see it right here. Or in case you’re not able to find it, you can search for Microsoft Docs Compute. Yeah, this is a virtual machine. So you’ll be able to see all the permissions that are available with virtual machines. For example, let me randomly pick some permissions. For example, right here, read latest patch assessment operation details, get virtual machine log definitions, get virtual machine run command, delete virtual machine run command. You can add these permissions. So the custom role will only have these permissions and the user will be able to only accomplish these actions. I’ll click on next. I’ll click on create. And this custom role will be created. As you can see, it may take a few minutes to display this role everywhere, but we can give it a shot. This time I’ll go for add role assignment. In job function, what you can do is you can filter type to a custom role and you can see your CRVM operator custom role available here. I can click on that, click on next, select members. I can add people here or groups here. For example, we have an HR group. That group also can be added here. I’ll click on select, review and assign, review and assign. And you can see that CRM app operator has been added here. And all these users have permission at the management group level. That means they have access to everything under the management group. Now that you know what Azure RBAC is, we also have Microsoft Entra ID roles. And for beginners, this is quite confusing. So let’s understand the differences between Azure RBAC and Microsoft Entra ID roles.

Watch Video