SkarpChapter 12 of 20
Access Control and Security: RBAC, Zero Trust, and Defender for Cloud
Tighten the screws on Azure security by learning how RBAC, Zero Trust principles, and Microsoft Defender for Cloud work together to protect your environment.
Big Picture: Identities, Access, and Azure Security
Connecting Identity and Access
Microsoft Entra ID handles who you are (authentication). Azure RBAC and security tools handle what you can do (authorization and protection) on Azure resources.
Three Big Ideas for AZ-900
This module focuses on: 1) Role-based access control (RBAC), 2) Zero Trust and defense-in-depth, and 3) Microsoft Defender for Cloud for posture and threat protection.
End-to-End Flow
User/app signs in with Entra ID, Azure checks RBAC to allow actions, Zero Trust guides how access is designed, and Defender for Cloud continuously analyzes and hardens your environment.
Shared Responsibility Context
Under the shared responsibility model, Microsoft secures the cloud platform; you use tools like RBAC and Defender for Cloud to secure your identities, data, and configurations.
RBAC: Canonical Definition and Core Concepts
Canonical RBAC Definition
Memorize this: "Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals."
What RBAC Actually Does
RBAC answers: after sign-in, which operations can this identity perform on which Azure resources? It is part of the management plane of Azure Resource Manager.
Fine-Grained Access
Instead of giving full admin rights, RBAC lets you allow specific actions like read-only access, start/stop VMs, or manage networking but not delete resources.
Who Gets Roles
RBAC roles are assigned to users, groups, and service principals. Groups and service principals are key for scalable, automated access control in real environments.
Roles and Scopes: How RBAC Actually Controls Access
Role + Scope = Effective Access
RBAC always needs both: a role (what actions are allowed) and a scope (where those actions apply). Together they define effective permissions.
Common Scopes for AZ-900
Key scopes: 1) Subscription (broadest), 2) Resource group (container of related resources), 3) Resource (single VM, storage account, etc.).
Inheritance of Permissions
Permissions assigned at higher scopes flow down: subscription → all resource groups → all resources; resource group → its resources only; resource → that resource only.
Exam Pattern: Narrow the Scope
If a user should only manage one app or one set of resources, assign roles at the resource group or resource level, not at the subscription level.
Visualizing RBAC: A Simple Company Scenario
Company Layout in Azure
One subscription (Prod-Sub) with two resource groups: RG-Web for web components and RG-Data for storage and databases. Three users need different access.
Assigning Roles by Scope
Sara gets Owner at the subscription (full control). Devon gets Contributor at RG-Web. Mia gets Reader at RG-Data. Each assignment uses the narrowest scope needed.
Visual Description
Picture a large rectangle (subscription) containing two smaller ones (resource groups). Sara’s access covers everything; Devon’s covers only RG-Web; Mia’s only RG-Data, read-only.
Spot the Over-Permission
If Devon had Contributor at the subscription scope, he could change RG-Data too. That breaks least privilege and is the wrong answer in an exam scenario.
Zero Trust and Defense-in-Depth: How They Guide RBAC
Zero Trust Basics
Zero Trust assumes breach and never trusts by default. It emphasizes verifying explicitly, using least privilege, and designing as if attackers are already inside.
Defense-in-Depth Layers
Defense-in-depth uses multiple layers: identity, network, compute, data, and monitoring. If one layer fails, others still protect your environment.
Zero Trust Applied to RBAC
Least privilege in RBAC means avoiding overly broad roles and scopes, and giving only the permissions necessary for each job role and task.
Exam Decision Pattern
When answers differ by how broad the access is, choose the option that gives just enough access at the narrowest scope that still meets the business need.
Microsoft Defender for Cloud: Purpose and Capabilities
What Defender for Cloud Is
Microsoft Defender for Cloud is Azure’s main service for cloud security posture management and workload protection across your resources and clouds.
Key Capabilities
It assesses security posture, gives hardening recommendations, calculates secure score, and detects threats when Defender plans are enabled.
Relationship to RBAC and Zero Trust
RBAC sets who can do what; Zero Trust guides design; Defender for Cloud checks whether your configurations match those principles and flags issues.
Exam-Level Understanding
Know that Defender for Cloud is the service for secure score, recommendations, and security posture improvement, not for identity or billing.
Thought Exercise: Choosing Roles and Scopes with Least Privilege
Work through these scenarios mentally. There are no “correct_index” answers here; the goal is to practice reasoning the way exam questions expect you to.
Scenario 1: VM Operator
Your team has a VM operations role. Operators must be able to start, stop, and restart any VM in a specific resource group called `RG-Compute`, but they must not be able to delete VMs or change networking.
- Which scope is appropriate?
- A. Subscription
- B. Resource group (`RG-Compute`)
- C. Individual VMs
- Which type of role is best?
- A. Owner
- B. Virtual Machine Contributor (a built-in role focused on VMs)
- C. Reader
Think: you want to cover all current and future VMs in `RG-Compute` without affecting other groups, and you do not want full subscription access.
Scenario 2: External Auditor
An external auditor needs read-only visibility into all resources in your subscription for 1 month.
- Which scope is appropriate?
- A. Subscription
- B. Single resource group
- C. Individual resources
- Which role is best?
- A. Contributor
- B. Reader
- C. Owner
Think: you want the auditor to see everything but not change anything. Also consider whether granting at many small scopes or one broad scope is simpler for this temporary requirement.
After you decide, compare your reasoning to Zero Trust principles: did you pick the minimum permissions and narrowest scope that still meets the requirement?
Quiz 1: RBAC Basics and Scopes
Check your understanding of RBAC and scopes.
You need to let a developer manage only the resources in a single resource group called RG-App, without affecting any other resource groups in the subscription. What is the BEST way to configure this using RBAC, following least privilege?
- Assign the Contributor role to the developer at the subscription scope.
- Assign the Owner role to the developer at the RG-App resource group scope.
- Assign the Contributor role to the developer at the RG-App resource group scope.
- Assign the Reader role to the developer at the RG-App resource group scope.
Show Answer
Answer: C) Assign the Contributor role to the developer at the RG-App resource group scope.
The goal is to allow management (create, update, delete) of resources in **only** RG-App. The **Contributor** role at the **resource group** scope grants full management rights for that group without touching others, aligning with least privilege. Giving access at the subscription scope is too broad, and Owner is more powerful than needed. Reader would not allow management actions.
Quiz 2: Zero Trust and Defender for Cloud
Test how well you can connect Zero Trust and Defender for Cloud to exam-style wording.
Your organization wants a service that continuously evaluates the configuration of Azure resources, calculates a secure score, and recommends actions such as enabling encryption and restricting public IPs. Which Azure service should you use?
- Microsoft Entra ID
- Azure Policy
- Microsoft Defender for Cloud
- Azure Monitor
Show Answer
Answer: C) Microsoft Defender for Cloud
The described capabilities (secure score, configuration assessment, hardening recommendations) are provided by **Microsoft Defender for Cloud**. Microsoft Entra ID handles identity and access, Azure Policy enforces rules but does not calculate secure score by itself, and Azure Monitor focuses on logs and metrics rather than security posture scoring.
Key Term Flashcards: RBAC, Zero Trust, Defender for Cloud
Use these flashcards to reinforce the most exam-relevant definitions and ideas.
- Role-based access control (RBAC) – canonical definition
- Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
- RBAC: Role
- A role in Azure RBAC is a collection of allowed actions (permissions), such as read, write, or delete operations on specific types of Azure resources.
- RBAC: Scope
- Scope defines where a role assignment applies. Common scopes are subscription, resource group, and individual resource. Permissions assigned at a higher scope inherit down to lower scopes.
- Least privilege
- A security principle where users and applications are granted only the minimum permissions and scope necessary to perform their tasks, and no more.
- Zero Trust (high-level idea)
- Zero Trust is a security approach that assumes breach and never trusts by default. It emphasizes verifying explicitly, using least privilege access, and designing systems so that compromise of one component does not compromise everything.
- Defense-in-depth
- A layered security strategy that uses multiple, overlapping controls (identity, network, compute, data, monitoring) so that if one layer fails, others still protect the environment.
- Microsoft Defender for Cloud (purpose)
- Microsoft Defender for Cloud is Azure’s main service for cloud security posture management and workload protection. It assesses security posture, provides recommendations, calculates secure score, and detects threats for Azure and other cloud resources.
- Shared responsibility model – canonical definition
- The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
- Typical RBAC scopes for AZ-900
- Subscription (broadest), resource group (container of related resources), and individual resource (single VM, storage account, etc.), with permissions inheriting from higher to lower scopes.
- RBAC vs. Microsoft Entra ID
- Microsoft Entra ID handles authentication and identity (who you are). RBAC uses those identities to control authorization (what you are allowed to do) on Azure resources.
Putting It Together and Next Steps in Your Study Path
What You Now Know
You connected Entra ID identities, RBAC authorization, Zero Trust principles, and Microsoft Defender for Cloud’s security posture features into one mental model.
Exam Readiness Checklist
Be able to recite the RBAC definition, explain roles and scopes with inheritance, choose least-privilege options, and recognize Defender for Cloud’s purpose.
Using Skarp Effectively
Next, use the diagnostic and mock exams to test yourself. Your gap guide and spaced review queue will reinforce any weak RBAC or security topics.
Looking Ahead: Governance Tools
You will soon combine RBAC and Defender for Cloud with Azure Policy, which enforces rules so resources stay compliant with your standards and SLAs.
Key Terms
- scope
- The boundary within which an RBAC role assignment applies. Common scopes for AZ-900 are subscription, resource group, and individual resource.
- Zero Trust
- A security approach that assumes breach and never trusts by default, emphasizing explicit verification, least privilege access, and limiting the blast radius of attacks.
- Azure Policy
- Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
- secure score
- A numerical summary in Microsoft Defender for Cloud that reflects how well your environment aligns with recommended security practices, based on current configurations and recommendations.
- least privilege
- A security principle where users and applications are granted only the minimum permissions and scope necessary to perform their tasks, and no more.
- defense-in-depth
- A layered security strategy using multiple overlapping controls (identity, network, compute, data, monitoring) so that if one layer fails, others still protect the environment.
- Microsoft Entra ID
- Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
- shared responsibility model
- The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
- Microsoft Defender for Cloud
- Azure’s main cloud security posture management and workload protection service, providing secure score, recommendations, and threat detection for Azure and multi-cloud resources.
- role-based access control (RBAC)
- Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.