Azure RBAC Overview
Role-Based Access Control (RBAC) is an authorization system built on Azure Resource Manager to provide fine-grained access management for Azure resources. It allows you to manage:
-
Who can access resources
-
What actions they can perform
-
Where they have access (scope)
Key RBAC Concepts
-
Security Principal – The entity requesting access. Examples:
-
User
-
Group
-
Service principal
-
Managed identity
-
-
Role Definition – Collection of permissions defining what operations can be performed. Examples:
-
Owner
-
Contributor
-
Reader
-
User Access Administrator
-
-
Scope – The boundary for access (where the role applies). Examples:
-
Management group
-
Subscription
-
Resource group
-
Individual resource
-
-
Assignment – Attaching a role to a security principal at a specific scope. Access is granted through assignments.
Common RBAC Use Cases
-
Allow an application to access all resources in a resource group
-
Allow specific users to manage certain resources (e.g., VMs or virtual networks)
-
Grant a DBA group permission to manage SQL databases
-
Control access to individual resources without granting subscription-wide permissions
Best Practices
-
Segregate duties and assign least privilege access.
-
Assign roles at the smallest scope required (resource, resource group, subscription).
-
Avoid using classic administrator roles; prefer RBAC roles.
Role Definitions
Roles are defined in JSON with properties:
-
Name, ID, Description
-
Actions – Allowed operations (
*for all) -
NotActions – Denied operations
-
AssignableScopes – Where the role can be assigned
Built-in roles examples:
| Role | Actions | NotActions |
|---|---|---|
| Owner | * | {} |
| Contributor | * | Microsoft.Authorization/*/Write, Delete |
| Reader | */read | {} |
Scope examples:
-
/subscriptions/[subscription id] -
/subscriptions/[subscription id]/resourceGroups/[resource group name] -
/subscriptions/[subscription id]/resourceGroups/[resource group name]/[resource]
Role Assignment
-
Grants a role to a security principal at a specific scope.
-
Inherited by child resources.
-
Can assign different roles at different scopes (e.g., Reader at resource group, Contributor at a single database).
Azure RBAC vs Azure AD Roles
| Feature | Azure RBAC | Azure AD Roles |
|---|---|---|
| Manage | Azure resources | Azure Active Directory resources |
| Scope | Management group, subscription, resource group, resource | Tenant level |
| Access info | Portal, CLI, PowerShell, ARM templates | Admin portal, Microsoft Graph, PowerShell |
-
RBAC controls resource access; Azure AD roles control directory access.
Fundamental Built-in RBAC Roles
-
Owner: Full access, including assigning roles
-
Contributor: Can manage resources, but cannot grant access
-
Reader: View-only access
-
User Access Administrator: Manage access to resources
Managing RBAC in Azure
Portal Steps:
-
Go to Access Control (IAM) for a resource or resource group.
-
Review roles and their permissions.
-
Add role assignment:
-
Role: Owner/Contributor/Reader
-
Assign to user/group
-
Save changes
-
-
Check access to verify assignments.
PowerShell Commands:
-
List role definitions:
-
Get actions for a role:
-
List role assignments for a resource group:
Summary
Azure RBAC allows precise access control over resources, ensuring least privilege, proper segregation of duties, and flexible management through built-in and custom roles. It works alongside Azure AD roles to authenticate and authorize users efficiently.
