Azure Role-Based Access Control (RBAC) is the system that Azure uses to manage access to Azure resources. To administer permissions, it uses the concept of “roles”. A role defines the operations that can be performed, such as read, write, and delete. Roles can be high-level, like Owner, or as specific as Virtual Machine Contributor.
For example, the “Owner” role has full access to all resources, including the right to delegate access to others. “Contributor” can create and manage all types of Azure resources but can’t grant access to others. On the other hand, the “Reader” role can only view existing Azure resources.
Here is a simple comparison of the common roles and their permissions.
Role | Read | Write | Delete | List Keys |
---|---|---|---|---|
Owner | Yes | Yes | Yes | Yes |
Contributor | Yes | Yes | Yes | No |
Reader | Yes | No | No | No |
Azure provides more than just these three roles. There are over 70 built-in roles, and you also have the option to create custom roles if none of the built-in roles meet your specific needs.
Analyzing Azure Role Permissions
Understanding each role and its permissions is key to managing access to your Azure resources. You should be able to determine what actions each role can perform and what they cannot. The Azure portal provides an intuitive interface to explore these roles and their permissions.
Here’s how to view the permissions of a role:
- In the Azure portal, search for “Azure Active Directory”.
- Under “Manage”, click on “Roles and administrators”.
- Select the role you are interested in – for example, “Owner”.
- In the Owner pane, click “Permissions” to see the permissions associated with the role.
Further, you can view the effective permissions of a user to determine what actions a user can perform on a resource. This is done through “Check access” in Azure roles.
Managing Azure Role Permissions
Beyond just analyzing azure role permissions, the SC-300 exam also focuses on how to manage these permissions for various identities, including users, groups, and apps. Azure provides several ways to manage role assignments, from the Azure portal, Azure CLI, Azure PowerShell, or programmatically via the Azure SDKs.
For example, here’s how to assign a role using Azure CLI:
az role assignment create \
--assignee "
--role "Owner" \
--scope "/subscriptions/
In this example, we create a new role assignment for the user identified by their email ID, assign them the “Owner” role, and limit this assignment to the specified subscription.
Conclusion
Azure role-based access control is crucial in securing your Azure resources. It’s important to understand the various roles available, what permissions they grant, and how to assign those roles to users, groups, and apps. Studying and understanding Azure role permissions is, therefore, a pivotal part of preparing for the SC-300 Microsoft Identity and Access Administrator exam.
Practice Test
True or False: Azure role-based access control (RBAC) is a system that provides fine-grained access management of resources in Azure.
- True
- False
Answer: True
Explanation: Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of resources in Azure.
The following permission levels are available in Azure roles: List, Check, Save, Delete.
- True
- False
Answer: False
Explanation: Azure roles operate with the following action types: Read, Write, Delete, and List. Check and Save are not Azure permission levels.
Which of the following can be assigned Azure roles?
- A. Users
- B. Groups
- C. Service principals
- D. All of the above
Answer: D. All of the above
Explanation: Azure roles can be assigned to users, groups, service principals, and managed identities for Azure resources.
True or False: It is possible to customize Azure roles.
- True
- False
Answer: True
Explanation: Azure allows you to customize roles to meet the specific needs of your organization. This might be necessary when the built-in roles don’t meet your specific needs.
What is the scope of Azure RBAC?
- A. Subscription
- B. Resource group
- C. Individual resources within the resource group
- D. All of the above
Answer: D. All of the above
Explanation: The scope of Azure RBAC can be a subscription, a resource group, or individual resources within the resource group.
True or False: Azure RBAC is all about allowing users to do everything they want.
- True
- False
Answer: False
Explanation: Azure RBAC is all about providing users exactly the permissions that they need to perform their jobs and not more.
Owner, Contributor and Reader are part of Azure’s portfolios of built-in roles.
- A. True
- B. False
Answer: A. True
Explanation: Owner, Contributor and Reader are some of the built-in roles provided in Azure.
Who can assign roles in Azure?
- A. Members in the Owner role
- B. Members in the User Access Administrator role
- C. Both A and B
Answer: C. Both A and B
Explanation: Both Owners and User Access Administrators have permissions to assign roles in Azure.
True or False: Azure RBAC use deny assignments to explicitly deny access to Azure Resources.
- True
- False
Answer: True
Explanation: Azure RBAC uses deny assignments to explicitly block users from performing specific actions even if a role assignment grants them access to the actions.
The role assignment in Azure RBAC comprises of:
- A. Security Principal
- B. Resource Group
- C. Role Definition
- D. All of the above
Answer: D. All of the above
Explanation: A role assignment in Azure RBAC has three elements: security principal, role definition, and scope.
Azure custom roles can be created and managed using:
- A. Azure portal
- B. PowerShell
- C. REST APIs
- D. All of the above
Answer: D. All of the above
Explanation: Azure custom roles can be created and managed using Azure portal, PowerShell and REST APIs.
True or False: Azure RBAC has over 70 built-in roles.
- True
- False
Answer: True
Explanation: Azure RBAC has more than 70 built-in roles that you can assign to users, groups, service principals, and managed identities.
A person with the role of ‘Guest inviter’ can add or delete users from the Azure organization.
- A. True
- B. False
Answer: B. False
Explanation: A person with the role of ‘Guest inviter’ can only invite guests, they cannot delete users from the organization.
In Azure RBAC, scope is the boundary that the access applies to.
- A. True
- B. False
Answer: A. True
Explanation: In Azure RBAC, scope is the boundary that the access applies to.
Only one role can be assigned to a user or a group in Azure.
- A. True
- B. False
Answer: B. False
Explanation: Multiple roles can be assigned to a user or a group, each potentially with different scopes.
Interview Questions
What is Azure Role-Based Access Control (RBAC)?
Azure Role-Based Access Control (RBAC) is a system that provides fine-grained access management to Azure resources.
Can we create custom roles in Azure RBAC?
Yes, we can create and configure custom roles in Azure RBAC to meet the specific needs of an organization.
How does Azure RBAC help in managing access permissions?
Azure RBAC helps in managing permissions by allowing you to grant access to Azure resources at a fine granularity.
What are the fundamental elements of Azure RBAC?
The fundamental elements of Azure RBAC are roles, which define the permissions to be granted, and the scope, which defines the set of resources that the permissions apply to.
How many built-in roles does Azure RBAC present by default?
Azure RBAC offers over 70 built-in roles by default.
Name some of the common built-in roles in Azure RBAC?
Some common built-in roles in Azure RBAC are Owner, Contributor, Reader, and User Access Administrator.
What permissions does the ‘Owner’ role have in Azure RBAC?
The ‘Owner’ role in Azure RBAC has full access to all resources including the right to delegate access permissions to others.
What function does the ‘Reader’ role provide in Azure RBAC?
The ‘Reader’ role in Azure RBAC allows users to view existing Azure resources.
What is the role of the ‘Contributor’ in Azure RBAC?
Contributors in Azure RBAC can create and manage all types of Azure resources, but they do not have permission to grant access to other users.
Can we assign multiple roles to a single user in Azure RBAC?
Yes, a single user can be assigned multiple roles in Azure RBAC.
Where can you assign Azure RBAC roles?
Azure RBAC roles can be assigned at different scopes such as Management Group, Subscription, Resource Group, or Individual Resources.
What does the ‘User Access Administrator’ role allow you to do in Azure RBAC?
The ‘User Access Administrator’ role in Azure RBAC allows you to manage user access to Azure resources.
What does ‘NotActions’ permission mean in Azure RBAC?
The ‘NotActions’ permission in Azure RBAC is a setting that specifies what actions are specifically denied, serving as an exception to actions included in the ‘Actions’ permission.
What is the principle of least privilege (PoLP) in Azure RBAC?
The principle of least privilege (PoLP) in Azure RBAC refers to the practice of providing only the permissions that a user or application needs to perform its tasks — no more, no less.
What does ‘Actions’ permission mean in Azure RBAC?
The ‘Actions’ permission in Azure RBAC is a list of operations that are allowed with the given role.