Ends in
00
days
00
hrs
00
mins
00
secs
ENROLL NOW

🎁 Get 20% Off - Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Azure Role-Based Access Control (RBAC)

Home » Azure Cheat Sheets » Azure Monitoring and Management » Azure Role-Based Access Control (RBAC)

Azure Role-Based Access Control (RBAC)

Last updated on December 12, 2024

Azure Role-Based Access Control Cheat Sheet

  • A role-based access control service to manage user’s access to Azure resources including what they can do with those resources and what areas they can access.
  • It is an authorization system based on Azure Resource Manager, which provides fine-grained access management of Azure resources.

Concepts

  • A role assignment is composed of security principal, role definition, and scope.
    • Security Principal – an object representing a user, group, service principal, and managed identity that requests access to Azure resources.
    • Role Definition – a list of permissions that can be performed, such as read, write and delete.
    • Scope – set of resources to which access applies.
  • Attaching a role definition to a user, group, service principal, and managed identity to grant access to a particular scope is called role assignment.
  • You can attach multiple role assignments since RBAC is an additive model.
  • Tutorials dojo strip
  • Azure RBAC supports both allow and deny assignments.

Roles

  • Classic subscription administrator roles have full access to an Azure subscription.
    • Account Administrator
      • You can only have 1 Account Administrator per Azure account.
      • This role is the billing owner of the Azure subscription.
      • It can manage subscriptions and billings in the account.
      • Create and cancel subscriptions.
    • Service Administrator
      • For this role, you can only have 1 Service Administrator per Azure subscription.
      • For new subscriptions, the Account Administrator is also the Service Administrator. This role has full access to the Azure portal.
      • It can assign users with a Co-Administrator role.
    • Co-Administrator
      • You can only create 200 Co-Administrator per Azure subscription.
      • This role has the same privileges as the Service Administrator, but it can’t change the association of subscriptions to Azure directories.
      • A user with this role can only assign a Co-Administrator role to other users.
  • Azure Roles – Azure RBAC has over 70 built-in roles. The following are the four fundamental Azure roles:
    • Owner 
      • Full access to all Azure resources.
      • Delegate access to other users.
    • Contributor
      • Create and manage all types of resources in Azure.
      • The role can create a new tenant in Microsoft Entra ID.
      • It cannot grant access to other users.
    • Reader
      • A user with this role can only view Azure resources.
    • User Access Administrator
      • It has permissions to manage user access to all types of resources.
  • Microsoft Entra Roles – Provide access to manage Microsoft Entra resources in a directory such as create users, assign administrative roles to others, manage licenses, reset passwords, and manage domains.
    • Global Administrator
      • This role can manage access to all the administrative features in Microsoft Entra ID.
      • It can assign administrator roles to the users in your organization.
      • Reset the password of users and administrators in the account.
    • User Administrator
      • Create and manage different types of users and groups in Azure.
      • Manage support tickets and monitor service health.
      • This role can only change the passwords of users and administrators.
    • Billing Administrator
      • Make purchases in Azure.
      • The role can also monitor service health.
      • Manage subscriptions and support tickets.

Azure Roles

Microsoft Entra Roles

Manage access to Azure resources.

Manage access to Microsoft Entra resources.

It supports custom roles.

It supports custom roles.

The scope can be specified at multiple levels (management group, subscription, resource group, resource).

The scope is only at the tenant level.

Role information can be accessed through Azure Portal, CLI, PowerShell, Resource Manager templates, and REST APIs.

Role information can be accessed through Microsoft Entra admin center, Microsoft 365 Admin Center, Microsoft Graph, and Microsoft Graph PowerShell.

 

Best Practices

  • Use Azure RBAC to segregate duties within your team and only grant the access your users need.
  • Limit the number of subscription owners (max of 3) to reduce the potential for breach by a compromised owner.
  • You can use Microsoft Entra PIM to protect privileged accounts from malicious cyber-attacks.

Validate Your Knowledge

Question 1

Question Type: Single choice

Your company has an Azure subscription named ManilaSubscription that contains multiple virtual machines.

The subscription has a user named ManilaUser01 which has the following roles:

  • Backup Reader

  • Storage Blob Data Contributor

  • DevTest Labs User

You need to ensure that ManilaUser01 can assign a Reader role to all the users in the subscription.

What role should you assign?

  1. Assign the User Access Administrator role.
  2. Assign the Security Reader role.
  3. Assign the Virtual Machine Contributor role.
  4. Assign the Security Admin role.

Correct Answer: 1

Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. Access management for cloud resources is a critical function for any organization that is using the cloud. Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

The four fundamental Azure roles are Owner, Contributor, Reader, and User Access Administrator. To assign a Reader role to all the users in the Azure subscription, you must grant the user a User Access Administrator role. This role allows you to manage user access to the Azure resources.

Hence, the correct answer is: Assign the User Access Administrator role.

Free AWS Courses

The option that says: Assign the Security Reader role is incorrect because this role only allows the user to view permissions in the Security Center.

The option that says: Assign the Virtual Machine Contributor role is incorrect because this role just lets you manage virtual machines. Take note that this role doesn’t allow you to access virtual machines directly nor assign a Reader role to all the users in the subscription.

The option that says: Assign the Security Admin role is incorrect. This role has the same permissions as the Security Reader role. The only difference is that it can update the security policy and dismiss alerts and recommendations.

References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator

Check out this Azure RBAC Cheat Sheet:

https://tutorialsdojo.com/azure-role-based-access-control-rbac/

Microsoft Entra ID vs Role-Based Access Control (RBAC):

https://tutorialsdojo.com/microsoft-entra-id-vs-role-based-access-control-rbac/

Note: This question was extracted from our AZ-104 Microsoft Azure Administrator Practice Exams.

For more Azure practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:

Microsoft Azure Practice Exams Tutorials Dojo

Azure RBAC Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

Get 20% Off – Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Tutorials Dojo portal

Learn AWS with our PlayCloud Hands-On Labs

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

FREE AWS, Azure, GCP Practice Test Samplers

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

Follow Us On Linkedin

Recent Posts

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?