Assign roles at different scopes

Manage access to Azure resources

📘Microsoft Certified: Azure Administrator Associate (AZ-104)

1. What is a Scope in Azure?

A scope defines the level at which permissions are applied. In Azure, permissions are not only about what role someone has but also where that role applies. Scopes in Azure are hierarchical:

  1. Management Group – The highest level. It can contain multiple subscriptions. Assigning roles here affects all subscriptions within the management group.
  2. Subscription – Contains all resources for billing and management purposes. Assigning a role here applies to all resources in that subscription.
  3. Resource Group – A container for resources like virtual machines (VMs), storage accounts, and databases. Assigning roles here affects only resources in that resource group.
  4. Resource – Individual resources, such as a specific VM, storage account, or SQL database. Assigning a role here affects only that specific resource.

Hierarchy Example:

  • Assigning a role at the subscription level affects all resource groups and resources under it.
  • Assigning at the resource group level affects all resources inside that group only, not the whole subscription.

2. Types of Roles

Azure has three main types of roles:

  1. Owner
    • Can manage everything, including access permissions.
    • Use this carefully because it’s full control.
  2. Contributor
    • Can create and manage resources but cannot manage access (cannot assign roles).
    • Example: A person creating VMs, databases, or storage accounts but not changing who else can access them.
  3. Reader
    • Can view resources only, no changes allowed.
    • Example: Someone auditing resource usage or checking configurations.

Azure also has many built-in roles like Virtual Machine Contributor, Storage Account Contributor, etc., which provide specific permissions for certain resource types.

3. How Role Assignment Works

To assign a role:

  1. Choose who gets the role:
    • User
    • Group
    • Service principal (used by apps or automation scripts)
  2. Choose the role: Owner, Contributor, Reader, or a custom role.
  3. Choose the scope: management group, subscription, resource group, or resource.

Only users with Owner or User Access Administrator at a given scope can assign roles at that scope.

4. Practical IT Examples

  • Subscription-level access:
    • An Azure admin gives the IT operations team Contributor access to a subscription so they can deploy and manage resources for all projects in that subscription.
  • Resource group-level access:
    • A developer needs to deploy VMs and databases for a specific project. They get Contributor role only on that project’s resource group. They cannot touch other projects’ resources.
  • Resource-level access:
    • A security auditor needs Reader access only to a storage account to review audit logs. They cannot see or change anything else.

5. Key Points for the Exam

  1. RBAC is hierarchical. Permissions at a higher level automatically apply to lower levels.
  2. Principle of Least Privilege: Always assign the minimum permissions necessary.
  3. Who can assign roles: Only Owner or User Access Administrator at that scope.
  4. Scope options:
    • Management Group → all subscriptions
    • Subscription → all resource groups and resources
    • Resource Group → all resources inside
    • Resource → that resource only
  5. Role inheritance:
    • Assigning at a higher scope automatically applies to all lower scopes.
    • Assigning at a lower scope overrides the higher scope only for that resource.

6. Steps to Assign a Role in Azure Portal

  1. Go to the Azure portal.
  2. Navigate to the scope (subscription, resource group, or resource).
  3. Click Access control (IAM)Add role assignment.
  4. Choose the role (Owner, Contributor, Reader, or custom).
  5. Select user, group, or service principal.
  6. Click Save.

Same steps can also be done using Azure PowerShell or Azure CLI, which is commonly used in IT environments for automation.

7. Tips to Remember for the Exam

  • Scope hierarchy matters: Management group > Subscription > Resource Group > Resource.
  • Roles vs. scope: The role defines what actions are allowed, scope defines where they apply.
  • Custom roles: Can be created if built-in roles do not meet requirements.
  • Never give Owner role unless necessary.

Summary

  • RBAC = Role + Scope
  • Scope levels = Management Group → Subscription → Resource Group → Resource
  • Built-in roles = Owner, Contributor, Reader (+ others)
  • Assign roles based on principle of least privilege
  • Higher scope permissions automatically propagate down

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by