A Brief History of Roles in Azure

When Azure was first released, access control was very simple and relied on only three classic administrator roles:

• Account Administrator

• Service Administrator

• Co-Administrator

These roles provided broad, unrestricted access to subscriptions but lacked flexibility and security controls.

As Azure evolved, Microsoft introduced Azure Resource Manager (ARM) and with it Azure Role-Based Access Control (RBAC)—a modern authorization system that enables fine-grained access control.

At the same time, Azure Active Directory (Azure AD) introduced administrator roles specifically for managing identity-related resources such as users, groups, and domains.

✅ Important: Classic administrator roles should be avoided when using Azure Resource Manager.

---

The Three Types of Roles in Azure

1. Classic Subscription Administrator Roles (Legacy)

These roles exist mainly for backward compatibility.

• Account Administrator

• Service Administrator

• Co-Administrator

❌ Not recommended for modern Azure environments
❌ No fine-grained permissions
❌ No role scoping

---

2. Azure Role-Based Access Control (RBAC) Roles

Azure RBAC is used to manage Azure resources, such as:

• Virtual Machines

• Storage Accounts

• Networks

• Databases

RBAC allows you to:

• Assign permissions at different scopes

• Use built-in roles

• Create custom roles

• Follow the principle of least privilege

RBAC Scopes

RBAC roles can be assigned at:

• Management Group

• Subscription

• Resource Group

• Individual Resource

---

Core Built-in Azure RBAC Roles

These four roles are the foundation of RBAC:

Owner

• Full access to all resources

• Can assign roles to others

• Automatically assigned to Service Administrators and Co-Administrators

Contributor

• Can create and manage resources

• ❌ Cannot assign access to others

Reader

• View-only access to resources

User Access Administrator

• Can manage user access to resources

• Focused on permissions, not resource management

---

Resource-Specific RBAC Roles

Azure also provides roles for specific services, such as:

• Virtual Machine Contributor

• Storage Account Contributor

• Network Contributor

If built-in roles don’t meet your needs, Azure allows you to create custom RBAC roles.

---

Data Operations in Azure RBAC

Azure RBAC also supports data-level permissions.

Example:

• A user with read data access to a Storage Account can read:

  • Blobs

  • Files

  • Queue messages

This is different from managing the resource itself—it controls access to the data inside the resource.

---

3. Azure Active Directory (Azure AD) Administrator Roles

Azure AD roles are used to manage identity and directory services, including:

• Users

• Groups

• Devices

• Domains

• Authentication policies

These roles apply at the tenant level, not per subscription.

---

Key Differences: Azure RBAC vs Azure AD Roles

---

How Azure AD Roles and Azure RBAC Work Together

Azure uses both role systems together:

1. Azure AD authenticates the user

   • Verifies identity

   • Applies Azure AD admin roles (if any)

2. Azure RBAC authorizes access

   • Determines what Azure resources the user can access

   • Enforces permissions at the defined scope

Authentication happens in Azure AD
Authorization happens through Azure RBAC

This separation improves security, scalability, and governance.

---

Best Practices

✔ Use Azure RBAC for resource access
✔ Use Azure AD roles for identity management
✔ Avoid classic administrator roles
✔ Assign roles using least privilege
✔ Prefer resource-level or group-level scoping
✔ Regularly review role assignments

---

Final Thoughts

Understanding the difference between Azure RBAC roles and Azure AD administrator roles is critical for building a secure and well-governed Azure environment.

• RBAC = Resource permissions

• Azure AD roles = Identity permissions

Once you understand this separation, Azure security becomes much easier to manage.