Unit 2: Assign Azure Roles

Understanding Azure RBAC

Azure RBAC is the authorization system used to control access to Azure resources. Authentication answers who you are, but authorization answers what you are allowed to do. Azure RBAC operates by assigning a role to a security principal at a specific scope.

A role assignment always has three components:

• A security principal.
• A role definition.
• A scope.

Only when all three come together does access exist.

Who Can Be Assigned a Role

When granting access, the first question is who needs access.

• A user is assigned a role when access is needed by a single individual.
• A group is used when multiple users require the same permissions, which simplifies management.
• A service principal is used when an application needs access to Azure resources.
• A managed identity is preferred when an Azure-hosted application needs access without managing credentials.

Using groups and managed identities is considered a best practice because it reduces administrative overhead and improves security.

Built-in Azure Roles

Azure provides many built-in roles that cover common scenarios.

• Owner provides full access to resources and the ability to assign roles.
• Contributor allows creation and management of resources but not access management.
• Reader allows viewing resources without making changes.
• User Access Administrator allows assigning roles but not managing resources.

There are also many resource-specific roles, such as Virtual Machine Contributor or Storage Blob Data Reader, which are preferable to broad roles.

Understanding Scope

Scope defines where the role applies. Azure scopes follow a hierarchy.

• Management group.
• Subscription.
• Resource group.
• Individual resource.

Permissions assigned at a higher scope are inherited by lower scopes. This means a role assigned at the management group level can impact many subscriptions, which can be dangerous if misused.

Examples:

• Assigning Reader at the management group allows read access to everything underneath.
• Assigning Contributor at a resource group allows full control of only that group’s resources.
• Assigning a role at a single resource limits access precisely to that resource.

Best practice is always to assign the narrowest scope possible.

Assigning Roles

Before assigning a role, confirm that your own account has permission to assign roles. Roles can be assigned using:

• The Azure portal.
• Azure PowerShell.
• Azure CLI.
• Azure SDKs or REST APIs.

There are limits to role assignments:

• Up to 2,000 role assignments per subscription.
• Up to 500 role assignments per management group.

Most administrators use the Access control (IAM) blade in the Azure portal, which provides a consistent experience across resources.