Interpret access assignments

Manage access to Azure resources

📘Microsoft Certified: Azure Administrator Associate (AZ-104)

1. What is an Access Assignment?

An access assignment is the combination of:

  1. Security Principal – This is who is getting access. It can be:
    • A User (e.g., Alice)
    • A Group (e.g., Developers)
    • A Service Principal (used by apps to access Azure)
    • A Managed Identity (used by Azure services)
  2. Role – This defines what actions they can perform. For example:
    • Reader – Can view resources but not change them.
    • Contributor – Can create and manage resources but cannot grant access.
    • Owner – Full control, including managing access.
  3. Scope – This defines where the access applies. Scopes can be:
    • Management Group – Top-level, applies to all subscriptions under it.
    • Subscription – Applies to all resources in the subscription.
    • Resource Group – Applies to resources in a specific group.
    • Resource – Applies to a single resource (e.g., one Virtual Machine).

Key idea: Access assignments answer the question:
“Who can do what and where?”

2. How Access Assignments Work

When interpreting access assignments, you need to understand how Azure evaluates them:

  1. Role Inheritance – Roles assigned at a higher scope inherit downwards.
    Example:
    • If a user is a Reader at the subscription level, they can view all resource groups and resources in that subscription.
    • But if a user is assigned Contributor at a single resource group, they can only manage resources in that group, not the entire subscription.
  2. Multiple Assignments – A user can have multiple access assignments from:
    • Direct role assignments
    • Membership in a group
    • Inherited roles from higher scopes
      Azure merges these permissions, giving the user the most permissive access.
  3. Deny Assignments – Some roles or policies can explicitly deny access, even if a user has a role that grants it. This is often used in Azure Blueprints or Azure Policy.

3. Where to See Access Assignments

To interpret access assignments, you need to know where to check them:

  • Azure Portal:
    • Go to a resource → Access Control (IAM)Role assignments
    • Here, you see:
      • Who has access (User, Group, Service Principal)
      • Role assigned
      • Scope (Resource, Resource Group, Subscription)
  • Azure CLI: az role assignment list --assignee <user or group>
  • Azure PowerShell: Get-AzRoleAssignment -SignInName <user email>

These commands help you see all roles and scopes for a user or group, which is key for exam questions.

4. Interpreting Assignments for Exam Scenarios

When the exam asks you to interpret access assignments, they usually want you to determine:

  1. Who has access?
    Check if it’s assigned directly to a user, through a group, or inherited.
  2. What permissions they have?
    Look at the role(s) assigned.
  3. Where it applies?
    Check the scope — subscription, resource group, or resource.

Example exam-style scenario:

Alice is assigned the Contributor role on Resource Group RG1. Bob is a Reader at the subscription level. RG1 contains VM1 and Storage1.
Question: Who can modify VM1?

Answer:

  • Alice can modify VM1 (Contributor at RG1).
  • Bob cannot modify VM1 (Reader at subscription).

Tip: Always trace role → scope → permissions.

5. Important Exam Points

  1. RBAC roles are cumulative: Multiple roles add up unless denied.
  2. Higher-scope roles override lower-scope assignments only in permissions, not deny rules.
  3. Inherited roles: Remember that role assignments at subscription or resource group levels automatically apply to child resources.
  4. Service Principals and Managed Identities: Often used in automated scripts or Azure resources — understand their access too.
  5. Check effective permissions: Azure provides a tool in the portal called “Check access”, showing what a user can actually do.

6. Best Practices for Interpreting Assignments

  • Always identify the scope first.
  • List all roles assigned to the user (direct and group).
  • Check for deny assignments if access seems blocked.
  • Understand role permissions (Owner, Contributor, Reader, Custom Roles).

Summary Table

ConceptWhat it isExam Focus
Security PrincipalWho is getting access (User, Group, App)Identify who has the access
RoleWhat actions they can perform (Reader, Contributor, Owner)Determine level of access
ScopeWhere the access applies (Subscription, RG, Resource)Understand which resources are affected
InheritanceRole at higher scope applies to lower scopesTrace effective permissions
Multiple assignmentsAccess can come from several roles or groupsMerge permissions correctly
Deny assignmentsExplicit denial of accessKnow that it overrides roles

Key takeaway for AZ-104:
To pass this exam topic, you must read the access assignment, understand who, what, and where, and identify effective permissions. Questions often test your ability to figure out actual access for users, groups, or apps at different scopes.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by