RBAC
Documentation:
- Implement role-based access control
- Create a role definition
- Create a role assignment
- Compare Azure roles to Microsoft Entra roles
- Apply role-based access control
Info
Role-based access control (RBAC) is a mechanism that can help you manage who can access your Azure resources. RBAC lets you determine what operations specific users can do on specific resources, and control what areas of a resource each user can access.
Azure RBAC is an authorization system built on Azure Resource Manager. Azure RBAC provides fine-grained access management of resources in Azure.
| Concept | Description | Examples |
|---|---|---|
| SecurityΒ principal | An object that represents something that requests access to resources. | User, group, service principal, managed identity |
| RoleΒ definition | A set of permissions that lists the allowed operations. Azure RBAC comes with built-in role definitions, but you can also create your own custom role definitions. | Some built-in role definitions:Β Reader,Β Contributor,Β Owner,Β User Access Administrator |
| Scope | The boundary for the requestedΒ levelΒ of access, or βhow muchβ access is granted. | Management group, subscription, resource group, resource |
| Role assignment | AnΒ assignmentΒ attaches aΒ role definitionΒ to aΒ security principalΒ at a particularΒ scope. Users can grant the access described in a role definition by creating (attaching) an assignment for the role. | - Assign theΒ User Access AdministratorΒ role to an admin group scoped to a management group - Assign theΒ ContributorΒ role to a user scoped to a subscription |
Comparison between RBAC roles vs Entra roles
| Azure RBAC roles | Microsoft Entra ID admin roles | |
|---|---|---|
| AccessΒ management | Manages access to Azure resources | Manages access to Microsoft Entra resources |
| ScopeΒ assignment | Scope can be specified at multiple levels, including management groups, subscriptions, resource groups, and resources | Scope is specified at the tenant level |
| RoleΒ definitions | Roles can be defined via the Azure portal, the Azure CLI, Azure PowerShell, Azure Resource Manager templates, and the REST API | Roles can be defined via the Azure admin portal, Microsoft 365 admin portal, and Microsoft Graph PowerShell |
Apply role-based access control
- Microsoft Entra admin rolesΒ are used to manage resources in Microsoft Entra ID, such as users, groups, and domains. These roles are defined for the Microsoft Entra tenant at the root level of the configuration.
- Azure RBAC rolesΒ provide more granular access management for Azure resources. These roles are defined for a requestor or resource and can be applied at multiple levels: the root, management groups, subscriptions, resource groups, or resources.