Last updated on December 12, 2024
Azure Role-Based Access Control Cheat Sheet
- A role-based access control service to manage user’s access to Azure resources including what they can do with those resources and what areas they can access.
- It is an authorization system based on Azure Resource Manager, which provides fine-grained access management of Azure resources.
Concepts
- A role assignment is composed of security principal, role definition, and scope.
- Security Principal – an object representing a user, group, service principal, and managed identity that requests access to Azure resources.
- Role Definition – a list of permissions that can be performed, such as read, write and delete.
- Scope – set of resources to which access applies.
- Attaching a role definition to a user, group, service principal, and managed identity to grant access to a particular scope is called role assignment.
- You can attach multiple role assignments since RBAC is an additive model.
- Azure RBAC supports both allow and deny assignments.
Roles
- Classic subscription administrator roles have full access to an Azure subscription.
- Account Administrator
- You can only have 1 Account Administrator per Azure account.
- This role is the billing owner of the Azure subscription.
- It can manage subscriptions and billings in the account.
- Create and cancel subscriptions.
- Service Administrator
- For this role, you can only have 1 Service Administrator per Azure subscription.
- For new subscriptions, the Account Administrator is also the Service Administrator. This role has full access to the Azure portal.
- It can assign users with a Co-Administrator role.
- Co-Administrator
- You can only create 200 Co-Administrator per Azure subscription.
- This role has the same privileges as the Service Administrator, but it can’t change the association of subscriptions to Azure directories.
- A user with this role can only assign a Co-Administrator role to other users.
- Account Administrator
- Azure Roles – Azure RBAC has over 70 built-in roles. The following are the four fundamental Azure roles:
- Owner
- Full access to all Azure resources.
- Delegate access to other users.
- Contributor
- Create and manage all types of resources in Azure.
- The role can create a new tenant in Microsoft Entra ID.
- It cannot grant access to other users.
- Reader
- A user with this role can only view Azure resources.
- User Access Administrator
- It has permissions to manage user access to all types of resources.
- Owner
- Microsoft Entra Roles – Provide access to manage Microsoft Entra resources in a directory such as create users, assign administrative roles to others, manage licenses, reset passwords, and manage domains.
- Global Administrator
- This role can manage access to all the administrative features in Microsoft Entra ID.
- It can assign administrator roles to the users in your organization.
- Reset the password of users and administrators in the account.
- User Administrator
- Create and manage different types of users and groups in Azure.
- Manage support tickets and monitor service health.
- This role can only change the passwords of users and administrators.
- Billing Administrator
- Make purchases in Azure.
- The role can also monitor service health.
- Manage subscriptions and support tickets.
- Global Administrator
Azure Roles |
Microsoft Entra Roles |
Manage access to Azure resources. |
Manage access to Microsoft Entra resources. |
It supports custom roles. |
It supports custom roles. |
The scope can be specified at multiple levels (management group, subscription, resource group, resource). |
The scope is only at the tenant level. |
Role information can be accessed through Azure Portal, CLI, PowerShell, Resource Manager templates, and REST APIs. |
Role information can be accessed through Microsoft Entra admin center, Microsoft 365 Admin Center, Microsoft Graph, and Microsoft Graph PowerShell. |
Best Practices
- Use Azure RBAC to segregate duties within your team and only grant the access your users need.
- Limit the number of subscription owners (max of 3) to reduce the potential for breach by a compromised owner.
- You can use Microsoft Entra PIM to protect privileged accounts from malicious cyber-attacks.
Validate Your Knowledge
Question 1
Question Type: Single choice
Your company has an Azure subscription named ManilaSubscription
that contains multiple virtual machines.
The subscription has a user named ManilaUser01
which has the following roles:
-
Backup Reader
-
Storage Blob Data Contributor
-
DevTest Labs User
You need to ensure that ManilaUser01
can assign a Reader role to all the users in the subscription.
What role should you assign?
- Assign the User Access Administrator role.
- Assign the Security Reader role.
- Assign the Virtual Machine Contributor role.
- Assign the Security Admin role.
For more Azure practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:
Azure RBAC Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview