Azure identity, access, and security
đMicrosoft Certified: Azure Fundamentals (AZ-900)
Definition:
RBAC is a system in Azure that controls who can do what on which resources. It ensures that users, groups, or applications have just enough permissions to do their jobâno more, no less.
Think of it as âpermissions managementâ for Azure resources.
1. Core Concepts of RBAC
To understand RBAC, you need to know its three main elements:
a) Security Principal (Who)
This is who needs access to Azure resources. It can be:
- User â An individual with an Azure account.
Example: A network admin who needs access to Azure Virtual Network. - Group â A collection of users. Assigning roles to a group automatically applies it to all users.
Example: A “Developers” group with access to Azure App Services. - Service Principal / Managed Identity â Non-human identities used by applications or services.
Example: An application running in Azure that needs to read from an Azure Storage account.
b) Role (What)
A role defines what actions the principal can perform. Azure has:
- Built-in Roles â Predefined roles for common tasks:
- Owner â Full access, including the ability to delegate permissions.
- Contributor â Can create and manage resources but cannot assign roles.
- Reader â Can view resources but cannot make changes.
- Custom Roles â You can create a role with specific permissions if built-in roles are too broad.
Example: A role that can only start/stop virtual machines without editing anything else.
c) Scope (Where)
Scope defines where the role applies in Azure:
- Management Group â Applies across multiple subscriptions.
- Subscription â Applies to all resources inside a subscription.
- Resource Group â Applies only to resources in that group.
- Resource â Applies to a single resource, like one virtual machine or storage account.
Example: Assigning a Contributor role at the resource group level allows a user to manage all resources in that group but not resources in other groups.
2. How RBAC Works in Practice
RBAC works by combining the three elements:
Security Principal + Role + Scope = Permissions
Example in IT context:
- User: Database Administrator
- Role: Contributor
- Scope: Resource Group âDB-Serversâ
Result: The database admin can manage all resources inside the âDB-Serversâ resource group but cannot touch resources outside that group.
3. RBAC Assignment Rules
- A user can have multiple roles. Azure merges all permissions.
- If a user is in two roles (Reader + Contributor) at the same scope, the higher privilege applies.
- If roles are assigned at different scopes, permissions stack hierarchically.
Hierarchy example:
Management Group (Top Level)
âââ Subscription
âââ Resource Group
âââ Resource
- A role assigned at a higher level automatically applies to all lower levels unless overridden.
- This helps manage large environments efficiently.
4. RBAC vs Azure AD Role Assignments
- RBAC: Controls access to Azure resources (VMs, Storage accounts, Databases).
- Azure AD Roles: Control access to Azure AD itself (user management, app registrations).
Important for the exam: Donât confuse RBAC (resource access) with Azure AD roles (identity management).
5. Exam Tips / Key Points
- RBAC is free and built into Azure.
- Principle of Least Privilege: Assign the minimum permissions necessary.
- Built-in roles to remember for the exam: Owner, Contributor, Reader.
- Scope levels to remember: Management Group â Subscription â Resource Group â Resource.
- RBAC assignments stack: multiple roles can apply to the same principal at different scopes.
- RBAC is different from Azure AD roles.
6. Quick Visual Example
| Security Principal | Role | Scope | Result |
|---|---|---|---|
| Alice | Reader | Subscription A | Can view all resources in Subscription A |
| Dev Group | Contributor | RG-Dev | Can manage resources only in RG-Dev |
| App Service | Reader | Storage Acc X | App can only read data from Storage Acc X |
This is exactly what you need for the AZ-900 exam. If you understand who, what, and where in RBAC, and the differences from Azure AD roles, you can answer almost every RBAC question.
