SkarpChapter 10 of 21
Identity-Based Access Control: RBAC and Basic Security Concepts
Connect identities to permissions by seeing how role-based access control and related concepts govern who can do what inside Azure.
Big Picture: From Identity to Access in Azure
From Identity to Permissions
You already met Microsoft Entra ID as the identity system behind Azure sign-ins. Now we connect identities to permissions: who can do what to which resources.
Canonical RBAC Definition
Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Key Pieces of the Definition
RBAC is an authorization system on Azure Resource Manager, gives fine-grained permissions, and works by assigning roles to users, groups, and service principals.
Microsoft Entra ID Reminder
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
What You Will Learn
You will distinguish authentication vs authorization, see how roles and scopes work, map scopes to resources, resource groups, and subscriptions, and spot exam scenarios where RBAC is the right answer.
Authentication vs Authorization in Azure
Two Core Questions
Authentication asks: Who are you? Authorization asks: What are you allowed to do? Azure uses both for secure access.
Authentication in Azure
Microsoft Entra ID authenticates users, guests, and service principals: checking passwords, MFA, and policies when you sign in to the Azure portal or APIs.
Authorization in Azure
After sign-in, Azure Resource Manager uses RBAC to decide which actions your identity can perform on which Azure resources.
Division of Responsibilities
Think: Entra ID = identity and sign-in, RBAC = permissions on Azure resources. They work together, not instead of each other.
Exam Tip
Questions about MFA or SSO → Entra ID (authentication). Questions about who can manage or read a resource → RBAC (authorization).
Azure Resource Hierarchy and RBAC Scopes
What Is Scope?
Scope answers: Where does this permission apply? In Azure, RBAC scopes match the resource hierarchy: subscription, resource group, resource.
Three Key Levels
Subscription → contains resource groups. Resource group → contains related resources. Resource → a specific VM, storage account, web app, etc.
Assigning at Different Scopes
Assign a role at subscription scope → it applies to all resource groups and resources. At resource group scope → to all resources in that group. At resource scope → only that resource.
Inheritance
Permissions inherit downwards. A role at subscription level flows to all child groups and resources. A role at a resource group flows to all resources in that group.
Folder Analogy
Think of a subscription as a top folder, groups as subfolders, and resources as files. Access at the top folder flows down unless other controls intervene.
Inside an RBAC Role Assignment: Identity, Role, Scope
Three Parts of a Role Assignment
Every RBAC role assignment connects: 1) a security principal (identity), 2) a role definition, and 3) a scope (subscription, resource group, or resource).
Security Principals
Security principals can be users, groups, or service principals (identities for apps and automation in Microsoft Entra ID).
Role Definitions
A role definition is a named set of permissions (for example, Reader, Contributor, Owner). It defines which Azure Resource Manager actions are allowed.
Scope Recap
Scope says where the role applies: at the level of a subscription, a resource group, or a single resource. Permissions inherit downwards.
Assignment as a Sentence
Think: "Give this identity this role at this scope." Example: DevOps-Team group gets Contributor on rg-webapps resource group.
Real-World Scenarios: Choosing the Right Scope
Scenario 1: Finance Storage
Alice must read and write blobs in `stfinancedata` but not touch other resources in `rg-finance`. Which scope best fits least privilege?
Scenario 1: Good Answer
Assign a suitable data role at storage account scope. This limits Alice’s permissions to that single storage account.
Scenario 2: WebOps Team
WebOps must manage all web apps across several resource groups (`rg-web-europe`, `rg-web-us`, `rg-web-test`). They do not manage billing or policies.
Scenario 2: Scope Options
You can assign Contributor at subscription scope (if it is a web-only subscription) or at each web-focused resource group if the subscription hosts mixed workloads.
Key Takeaway
Always choose the narrowest scope that still meets the requirement. Exam questions often test this least-privilege thinking.
Built-in Roles vs Custom Roles (High Level)
Built-in vs Custom Roles
Azure RBAC provides many built-in roles and also supports custom roles when built-ins do not match your needs.
Key Built-in Roles
Owner (full control, can delegate), Contributor (manage resources, not access), Reader (view only), User Access Administrator (manage access).
Service-Specific Built-ins
There are roles tailored to services (for example, Storage Blob Data Reader), but AZ-900 focuses on understanding the concept, not memorizing them all.
What Are Custom Roles?
Custom roles are JSON-defined permission sets created when built-in roles are too broad or narrow. They list allowed Azure Resource Manager actions.
Exam Clues
If built-in roles meet the needs → use them. If the scenario explicitly says built-ins are not sufficient → consider a custom role.
How Microsoft Entra ID Identities Connect to Azure RBAC
Where Identities Live
Users, groups, and service principals are created in Microsoft Entra ID. These are the security principals RBAC uses.
From Sign-in to Permissions
First, Entra ID authenticates the principal. Then Azure Resource Manager uses RBAC role assignments to authorize actions on resources.
How ARM Decides
When you attempt an action, ARM checks if any of your roles at that scope or parent scopes allow the requested operation.
Entra ID Roles vs Azure RBAC Roles
Entra ID roles manage identity and directory tasks. Azure RBAC roles manage access to Azure resources like VMs and storage.
Exam Trap Reminder
Managing users or licenses → Entra ID roles. Managing VMs or resource groups → Azure RBAC. Same identities, different admin domains.
Thought Exercise: Picking Roles and Scopes
Apply what you have learned by designing role assignments for three mini-scenarios. Think first, then compare with the suggested answers.
Scenario A: Intern with read-only access
- You have a subscription `Sub-Prod` with many resource groups.
- An intern, Sam, needs read-only access to all resources in this subscription for a month.
Questions:
- Which role would you choose?
- At what scope would you assign it?
Suggested answer:
- Reader role.
- Subscription scope for `Sub-Prod`, so Sam can read everything but not change anything.
Scenario B: Storage admin for one department
- Resource group: `rg-marketing`
- Contains a storage account and a web app.
- User Priya should fully manage only the storage account, not the web app.
Questions:
- Which scope is appropriate?
- Would you choose a built-in or custom role first?
Suggested answer:
- Resource scope: assign a storage-related role at the storage account level.
- Start with a built-in storage data role (for example, a contributor-type role for storage). Use a custom role only if built-in roles do not meet requirements.
Scenario C: Central security team
- Security team must be able to grant and revoke access to any resource in the subscription, but not necessarily manage the resources themselves.
Questions:
- Which built-in role fits this requirement best?
- At what scope?
Suggested answer:
- User Access Administrator.
- At subscription scope, so they can manage role assignments across all resource groups and resources, focusing on access rather than resource configuration.
Quick Check 1: RBAC Basics
Test your understanding of RBAC fundamentals and scopes.
You need to allow a developer to manage only one specific virtual machine in a resource group, without affecting other resources. What is the BEST way to grant this access following least privilege?
- Assign the Contributor role to the developer at the subscription scope.
- Assign the Owner role to the developer at the resource group scope.
- Assign a virtual machine-specific built-in role (such as Virtual Machine Contributor) to the developer at that VM's resource scope.
- Add the developer to the Global Administrator role in Microsoft Entra ID.
Show Answer
Answer: C) Assign a virtual machine-specific built-in role (such as Virtual Machine Contributor) to the developer at that VM's resource scope.
Least privilege means granting only the permissions needed at the narrowest scope. Assigning a VM-specific built-in role (like Virtual Machine Contributor) at the **resource scope** of that VM lets the developer manage that VM only. Subscription or resource group scopes are too broad, and Global Administrator is an Entra ID directory role, not an Azure RBAC role for VM management.
Quick Check 2: Authentication vs Authorization
Decide which service or concept is being described.
A user successfully signs in to the Azure portal using MFA, but then sees an error when trying to delete a storage account: 'You do not have permission to perform this action.' Which statement best explains what is happening?
- Authentication failed in Microsoft Entra ID.
- Authorization failed because the user's RBAC role assignments do not allow deleting the storage account.
- The user is not part of any Microsoft Entra ID tenant.
- Azure Policy is blocking sign-in to the portal.
Show Answer
Answer: B) Authorization failed because the user's RBAC role assignments do not allow deleting the storage account.
The user successfully authenticated (sign-in + MFA) with Microsoft Entra ID, so identity is verified. The error occurs when performing an action on a resource. This is an **authorization** issue: their RBAC role assignments at the relevant scope do not include delete permissions for that storage account.
Flashcards: Key RBAC and Identity Terms
Use these flashcards to reinforce the most important definitions and relationships.
- Microsoft Entra ID (canonical definition)
- Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
- Role-based access control (RBAC) (canonical definition)
- Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
- Authentication vs Authorization
- Authentication verifies identity (who you are), typically handled by Microsoft Entra ID. Authorization decides what you are allowed to do with resources, typically enforced by Azure RBAC via role assignments.
- RBAC Scope Levels (AZ-900 focus)
- Subscription (top-level container for resources and billing), Resource group (logical container for related resources), Resource (individual service instance like a VM or storage account). Role assignments can be made at any of these scopes.
- Permission Inheritance in RBAC
- Role assignments at a higher scope (for example, subscription) are inherited by all child scopes (resource groups and resources) beneath it.
- Built-in Role: Owner
- Owner has full access to all resources at the assigned scope, including the ability to delegate access by managing role assignments.
- Built-in Role: Contributor
- Contributor can create and manage all types of Azure resources at the assigned scope but cannot grant access to others.
- Built-in Role: Reader
- Reader can view existing resources at the assigned scope but cannot change or delete them.
- Built-in Role: User Access Administrator
- User Access Administrator can manage user access (RBAC role assignments) to Azure resources at the assigned scope, focusing on access rather than resource configuration.
- Custom Roles in Azure RBAC
- Custom roles are user-defined roles where you specify allowed Azure Resource Manager actions in JSON. They are used when built-in roles are too broad or too narrow.
- Security Principal
- An identity that can be assigned permissions in RBAC: a user, a group, or a service principal in Microsoft Entra ID.
RBAC vs Azure Policy and Next Steps in Your AZ-900 Path
Azure Policy: Canonical Definition
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
RBAC vs Azure Policy
RBAC controls who can do what. Azure Policy controls what configurations are allowed. RBAC is about permissions; Policy is about compliance and standards.
Working Together
RBAC might let you create a VM, but Azure Policy can still block that VM if it violates rules (for example, wrong region or missing tags).
Exam Heuristic
Questions about roles and access → RBAC. Questions about enforcing allowed locations, SKUs, or tags → Azure Policy.
Your Next Steps
Use Skarp’s diagnostic, mock exams, and spaced review to reinforce these RBAC and identity concepts before moving deeper into Azure governance and security.
Key Terms
- Scope
- The level in the Azure hierarchy (subscription, resource group, or resource) where an RBAC role assignment applies. Permissions inherit to child scopes.
- Resource
- An individual Azure service instance, such as a virtual machine, storage account, or web app. RBAC roles can be assigned directly at this scope.
- Custom role
- A user-defined role in Azure RBAC that specifies a custom set of allowed actions over Azure Resource Manager operations, used when built-in roles are insufficient.
- Azure Policy
- Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
- Subscription
- A logical container for Azure resources, billing, and access control. RBAC roles can be assigned at this scope and inherited by all child resource groups and resources.
- Authorization
- The process of determining what actions an authenticated identity is allowed to perform on resources, typically enforced by Azure RBAC.
- Built-in role
- A predefined role in Azure RBAC provided and maintained by Microsoft, such as Owner, Contributor, Reader, and User Access Administrator.
- Authentication
- The process of verifying the identity of a user or service, typically handled by Microsoft Entra ID in Azure.
- Resource group
- A logical container that holds related Azure resources for an application or workload. RBAC roles can be assigned at this scope and inherited by resources within the group.
- Least privilege
- A security principle where users and applications are granted only the minimum permissions necessary to perform their required tasks, often implemented through carefully scoped RBAC role assignments.
- Microsoft Entra ID
- Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
- Security principal
- An identity that can be granted access in Azure RBAC, including users, groups, and service principals from Microsoft Entra ID.
- Role-based access control (RBAC)
- Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.