Manage built-in Azure roles

Manage access to Azure resources

📘Microsoft Certified: Azure Administrator Associate (AZ-104)

1. What Are Built-in Azure Roles?

Azure provides predefined roles called built-in roles. These roles define a set of permissions that allow users to perform specific actions on Azure resources.

Instead of manually assigning individual permissions, you can assign these roles to users, groups, or service principals to quickly give the right access.

Key idea:

  • Roles = sets of permissions
  • Permissions = what actions a user can do (read, write, delete, etc.)

2. Types of Built-in Roles

Azure has three main types of built-in roles:

a) Owner

  • Can manage everything including access (assign roles to others)
  • Full control over the resource.
  • Commonly assigned to admins or service owners.

b) Contributor

  • Can create and manage resources, but cannot grant access to others.
  • Example: A developer who deploys virtual machines or databases but should not control who else has access.

c) Reader

  • Can view resources, but cannot make any changes.
  • Example: A network team member who monitors Azure virtual networks but does not change configurations.

3. Other Common Built-in Roles

Beyond the three main ones, Azure provides specialized roles for specific tasks:

RoleDescription
Virtual Machine ContributorCan manage VMs (start, stop, deploy) but cannot manage network or storage
Storage Account ContributorCan manage storage accounts and blobs, but not assign roles
Network ContributorCan manage network resources, e.g., VNets, subnets, NSGs
Security ReaderCan view security-related info in Azure Security Center
Billing ReaderCan view billing and subscription info, but cannot change resources

Tip for exam: You may be asked “which role can perform X?” so focus on what each role can or cannot do.

4. How Permissions Work in Roles

Each role has permissions, which are actions on resources. Permissions follow this pattern:

  • Read (Microsoft.Compute/virtualMachines/read) → View the VM
  • Write (Microsoft.Compute/virtualMachines/write) → Create or update the VM
  • Delete (Microsoft.Compute/virtualMachines/delete) → Delete the VM

Roles group these permissions. For example:

  • Reader → only read actions
  • Contributorread + write + delete, but cannot assign roles
  • Ownerread + write + delete + assign roles

5. Scope of Role Assignments

Roles are assigned at different scopes in Azure. The scope defines where the role applies:

  1. Management Group → applies to all subscriptions under it
  2. Subscription → applies to all resources in the subscription
  3. Resource Group → applies only to resources in that group
  4. Resource → applies only to a single resource

Example:

  • Assigning Reader at a subscription level → can read all resources in that subscription
  • Assigning Reader at a resource group level → can read only resources in that group

6. How to Assign a Built-in Role

You can assign roles using:

  • Azure Portal
    1. Go to the resource
    2. Click Access control (IAM)
    3. Click + Add → Add role assignment
    4. Select role (Owner, Contributor, Reader, etc.)
    5. Select user, group, or service principal
    6. Click Save
  • Azure PowerShell:
New-AzRoleAssignment -ObjectId <UserObjectId> -RoleDefinitionName "Contributor" -Scope "/subscriptions/<subscriptionId>/resourceGroups/<rgName>"
  • Azure CLI:
az role assignment create --assignee <user-email-or-id> --role "Contributor" --scope "/subscriptions/<subscriptionId>/resourceGroups/<rgName>"

7. Exam Tips for Built-in Roles

  1. Know the main 3 roles (Owner, Contributor, Reader) inside out.
  2. Understand the specialized roles for compute, storage, network, and security.
  3. Remember scope matters (subscription, resource group, resource).
  4. Know how permissions differ between roles (read vs write vs assign roles).
  5. Remember Owner can assign roles, Contributor cannot, Reader cannot make changes.

8. Summary Table for Quick Exam Reference

RoleCan ReadCan Write/DeleteCan Assign Roles
Owner
Contributor
Reader
VM Contributor✅ (VMs only)
Network Contributor✅ (Network only)
Storage Contributor✅ (Storage only)

Key Takeaways

  • Built-in Azure roles simplify access management.
  • Owner, Contributor, Reader are the most important for the exam.
  • Roles define permissions for resources at a specific scope.
  • Always assign roles following the principle of least privilege—give users only the permissions they need.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by