Azure Role-Based Access Control (RBAC)

 

• A role-based access control service to manage user’s access to Azure resources including what they can do with those resources and what areas they can access.
• It is an authorization system based on Azure Resource Manager, which provides fine-grained access management of Azure resources.

Concepts

• A role assignment is composed of security principal, role definition, and scope.
  • Security Principal – an object representing a user, group, service principal, and managed identity that requests access to Azure resources.
  • Role Definition – a list of permissions that can be performed, such as read, write and delete.
  • Scope – set of resources to which access applies.
• Attaching a role definition to a user, group, service principal, and managed identity to grant access to a particular scope is called role assignment.
• You can attach multiple role assignments since RBAC is an additive model.
• Azure RBAC supports both allow and deny assignments.

Roles

• Classic subscription administrator roles have full access to an Azure subscription.
  • Account Administrator
    • You can only have 1 Account Administrator per Azure account.
    • This role is the billing owner of the Azure subscription.
    • It can manage subscriptions and billings in the account.
    • Create and cancel subscriptions.
  • Service Administrator
    • For this role, you can only have 1 Service Administrator per Azure subscription.
    • For new subscriptions, the Account Administrator is also the Service Administrator. This role has full access to the Azure portal.
    • It can assign users with a Co-Administrator role.
  • Co-Administrator
    • You can only create 200 Co-Administrator per Azure subscription.
    • This role has the same privileges as the Service Administrator, but it can’t change the association of subscriptions to Azure directories.
    • A user with this role can only assign a Co-Administrator role to other users.

• Azure Roles – Azure RBAC has over 70 built-in roles. The following are the four fundamental Azure roles:
  • Owner 
    • Full access to all Azure resources.
    • Delegate access to other users.
  • Contributor
    • Create and manage all types of resources in Azure.
    • The role can create a new tenant in Azure AD.
    • It cannot grant access to other users.
  • Reader
    • A user with this role can only view Azure resources.
  • User Access Administrator
    • It has permissions to manage user access to all types of resources.
• Azure AD Roles – Provide access to manage Azure AD resources in a directory such as create users, assign administrative roles to others, manage licenses, reset passwords, and manage domains.
  • Global Administrator
    • This role can manage access to all the administrative features in Azure AD.
    • It can assign administrator roles to the users in your organization.
    • Reset the password of users and administrators in the account.
  • User Administrator
    • Create and manage different types of users and groups in Azure.
    • Manage support tickets and monitor service health.
    • This role can only change the passwords of users and administrators.
  • Billing Administrator
    • Make purchases in Azure.
    • The role can also monitor service health.
    • Manage subscriptions and support tickets.

Azure Roles	Azure AD Roles
Manage access to Azure resources.	Manage access to Azure Active Directory (Active AD) resources.
It supports custom roles.	It supports custom roles.
The scope can be specified at multiple levels (management group, subscription, resource group, resource).	The scope is only at the tenant level.
Role information can be accessed through Azure Portal, CLI, PowerShell, Resource Manager templates, and REST APIs.	Role information can be accessed through Azure Admin Portal, Microsoft 365 Admin Center, Microsoft Graph, and Azure AD PowerShell.