Azure Role-Based Access Control RBAC (2023)

In our previous post, you were introduced to the basic concepts of cloud and also given a brief understanding about one of the most popular cloud service providers - Microsoft Azure. In this post and the subsequent posts, we are going to deep dive into Azure and understand some of its core features and services.

Suppose the IT infrastructure of your organization has been already hosted in Azure, the next important aspect of your infrastructure is to determine who gets to access what and how do I seamlessly implement it in Azure. This is where Azure Role-Based Access Control (RBAC), an in-built feature of Azure and our topic for today comes in handy. We are going to explain in detail what is Azure RBAC and how it helps in managing the access controls for your Azure services.

Table of Contents

  1. What is Azure RBAC
  2. Key concepts of RBAC
  3. Role assignments
  4. Practical implementation of RBAC
  5. Final Thoughts

1. What is Azure RBAC?

Azure RBAC is a built-in authorization system that helps in access management of Azure resources. Generally, RBAC is used for restricting network access based on the roles of individuals within an organization. It lets users have access to the information that is required to complete their job and restrict them from accessing information that does not pertain to them.

Now that we have defined what RBAC is, let us understand a few basic Azure terminologies which we will use throughout our post.

1.1 Azure Subscription

Azure subscription is a logical bundle of Azure resources, which serves as a single billing unit for the resources that are present in that service. An Azure subscription can be mapped to only one account. However, an account can have multiple subscriptions.

1.2 Resource providers

Resource Providers typically provide the resources that can be used within a subscription. They also describe the applicable actions for each resource. Most of the resource providers are automatically registered to the subscription. If not, users can register them when required.

1.3 Resource group

A resource group is a central unit for the collection of resources that can be treated as one entity. It helps in automatic provisioning, monitoring, and helps in controlling all the resource members collectively.

(Video) Azure Role-based Access Control (RBAC)

2. Key concepts of RBAC

The below forms the three main concepts of RBAC.

2.1 Security Principal (Who needs access)

It refers to the entity that requires access to the Azure resource. The entity could be a:

  • User (Person who has a profile in Azure Active Directory)
  • Group (Set of users who are clubbed in Azure Active Directory)
  • Service Principals (Represents the identities used by Azure service or application to access Azure resources)
  • Managed Identity (Allow an Azure resource to identify itself to Azure Active Directory without requiring it to provide any explicit credentials)

Azure Role-Based Access Control RBAC (1)

2.2 Scope (What to access)

Once we have decided who needs to access the resources, the next step is to figure out what needs to be accessed by them.

Azure Role-Based Access Control RBAC (2)

Scope provides which resource or the group of resources to which the Security principals have access to. For example, access to App services that are in a particular resource group.

In Azure, the scope can be defined as the following:

(Video) AZ-900 Episode 28 | Azure Role-based Access Control (RBAC)

  1. Management Group,
  2. Subscription,
  3. Resource Group, and
  4. Resource

Let us understand the above with an example.

Suppose we deploy our solutions in Development (Dev), Quality Assurance (QA), Staging, and Production regions. Now, they want to figure out the cost incurred in maintaining each region, so they can create subscriptions at region level i.e 4 subscriptions for 4 regions.

To maintain the access, policy, and compliance across subscriptions, the scope will be defined at the Management group (group of subscriptions) level. Similarly, to maintain the same set of policies within a subscription, the scope will be defined at the Subscription level. The same is the case with resource groups and resources.

2.3 Role Definition (How to access)

Role definition is a collection of permission/action that a security principal will be able to perform on the defined scope. In other words, Role definition determines the type of operations (read, write, and delete) that can be done by the security principal.

Azure Role-Based Access Control RBAC (3)

Azure has close to 140+ in-built roles. However, the four fundamental built-in roles are as follows:

  1. Owner (Security principal with full access to the Scope with the right to delegate access to others),
  2. Contributor (Has all the privileges similar to the role ‘Owner’. But, they cannot delegate access to others),
  3. Reader (Can view the existing azure resources),
  4. User Access Administrator (Allows to manage user access to manage resources).

Azure allows us to create custom roles, which could come in handy when the built-in roles are not suitable or specific to the organization's needs.

(Video) DEMO Azure Role Based Access Control - Azure RBAC DEMO step by step

3. Role assignments

RBAC is all about roles. And to implement RBAC, role assignments have to be created. Role assignments are nothing but a process where you define a role to a security principal for a particular scope. Access can be granted or revoked by creating or removing a role assignment.

Azure Role-Based Access Control RBAC (4)

Azure also enables you to have multiple role assignments. An important point to note here is that in multiple role assignments, the highest privilege available across the role assignments is taken into consideration and the effect of the lower privilege role is nullified.

For Example:

  • Role assignment 1 - Contributor role is assigned to a Subscription for a user.
  • Role assignment 2 - Reader role is assigned to a resource present in the subscription for the same user.

In this case, the higher privilege of the contributor is applied across the subscription for the user, which nullifies the effect of the reader role. Similarly, to have an exclusion on a set of actions to be performed by the security principal on the defined scope, Azure offers deny assignments. Deny assignments prevent the security principal from performing certain actions even if there is a role assignment to grant access for it. In short, Deny assignments take preceding over Role assignments.

Let us consider an example, a developer has access across all the regions (Management groups) to update or modify all resources (Role assignment). However, in the Production region (one of the subscriptions), a rule (deny assignment) is set which will not allow the developer to update any resources in that subscription.

4. Practical implementation of RBAC

Say we start to build our infrastructure in the cloud and have recruited candidates for the following roles: Cloud Architect, Database Administrator, Developers, Testers, and Product Owners. Let's see how RBAC helps us to work effectively.

(Video) Azure Role-Based Access Control Deep Dive

Cloud Architect - Person or group of persons who are in charge of cloud adoption plans, cloud application design as well as cloud management and monitoring. It is the responsibility of cloud architects to provide the standards to be followed and best practices to be adopted in the cloud system. So, we use RBAC to ensure that the Cloud Architect has access across all the subscriptions with a privilege to do Create, Read, Update, and Delete (CRUD) resources.

Database Administrator - A specific set of groups who work on the databases that are deployed across all the subscriptions. So, we use RBAC to offer contributor access to database administrators only to the databases that are deployed across the subscriptions.

Developers – In the case of developers, we use RBAC to ensure that the scope is restricted only to their regions of work (could be one subscription or a resource group) with a privilege to do the CRUD operations.

Testers and product owners - We use RBAC to offer Reader privilege to Testers and Product Owners for their required scope.

Thus, Azure helps organizations in defining the roles for the individuals or a group who contribute to the system.

5. Final Thoughts

Access management is an important part of cloud governance and it should be given utmost priority. It helps in defining a set of rules to guide the organization in utilizing and controlling the cloud resources to adhere to the industrial standards of data security. Implementing the right level of RBAC helps in achieving secure Azure environments and independent security principals.


What is role-based access control RBAC Azure? ›

Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources.

What are the three types of RBAC controls in Azure? ›

Azure broadly defines three different roles: Reader, Contributor, and Owner. These roles apply to Subscriptions, Resource Groups, and most all Resources on Azure.

What is RBAC and how does it work? ›

Role-based access control (RBAC) restricts network access based on a person's role within an organization and has become one of the main methods for advanced access control. The roles in RBAC refer to the levels of access that employees have to the network.

What is the difference between Azure AD and RBAC? ›

While RBAC roles are used to manage access to Azure resources like VMs and storage accounts, Azure AD Administrator roles are used to manage Azure AD resources in a directory.

What are the three primary rules for RBAC? ›

The components of RBAC such as role-permissions, user-role and role-role relationships make it simple to perform user assignments.

When should I use Azure RBAC? ›

Azure role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources. Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs.

How many RBAC roles are in Azure? ›

Azure role-based access control (Azure RBAC) has over 120 built-in roles or you can create your own custom roles. This article describes how to list the built-in and custom roles that you can use to grant access to Azure resources.

What are the four 4 main access control model? ›

The 4 main access control models are:

Discretionary access control (DAC) Mandatory access control (MAC) Role-based access control (RBAC) Rule-based access control (RuBAC)

Is RBAC authentication or authorization? ›

RBAC provides a consistent authentication and authorization mechanism for users access across the entire Confluent Platform, which is not possible if solely using ACLs.

What is an example of RBAC? ›

One role-based access control example is a set of permissions that allow users to read, edit, or delete articles in a writing application. There are two roles, a Writer and a Reader, and their respective permission levels are presented in this truth table.

What is the disadvantage of RBAC? ›

There are also several disadvantages of the RBAC model. You can't set up a rule using parameters that are unknown to the system before a user starts working. Permissions can be assigned only to user roles, not to objects and operations.

How do I assign a RBAC in Azure? ›

In Azure RBAC, to grant access, you assign an Azure role.
  1. In the list of Resource groups, open the new example-group resource group.
  2. In the navigation menu, click Access control (IAM).
  3. Click the Role assignments tab to see the current list of role assignments.
  4. Click Add > Add role assignment.
Aug 21, 2022

What is the difference between RBAC and IAM? ›

RBAC defines permissions based on a person's job function, known outside of AWS as a role. Within AWS a role usually refers to an IAM role, which is an identity in IAM that you can assume. IAM does include managed policies for job functions that align permissions to a job function in an RBAC model.

What is better than RBAC? ›

The main difference between RBAC vs. ABAC is the way each method grants access. RBAC techniques allow you to grant access by roles. ABAC techniques let you determine access by user characteristics, object characteristics, action types, and more.

Can a user have multiple roles in RBAC? ›

A User can have multiple Roles. A Group can have multiple Roles. A role can be assigned to multiple Users or Groups.

What are the 3 components necessary for any role-based access control RBAC assignment? ›

You control access to resources using RBAC by creating role assignments, which control how permissions are enforced. To create a role assignment, you need three elements: a security principal, a role definition, and a scope. You can think of these elements as “who”, “what”, and “where”.

How is RBAC used to manage authorization? ›

An RBAC system allows us to create those roles that have associated access permissions to corporate resources. Once configured, system managers can assign users to these roles with this associated set of permissions.

Who can assign roles in Azure RBAC? ›

Principals include users, security groups, managed identities, workload identities, and service principals. Principals are created and managed in your Azure Active Directory (Azure AD) tenant. You can assign a role to any principal.

What are the 5 D's of access control? ›

The 5 Ds of perimeter security (Deter, Detect, Deny, Delay, Defend) work on the 'onion skin' principle, whereby multiple layers of security work together to prevent access to your site's assets, giving you the time and intelligence you need to respond effectively.

What are the 7 main categories of access control? ›

The seven main categories of access control are directive, deterrent, compensating, detective, corrective, and recovery.

What are the 2 types of access control? ›

There are two types of access control: physical and logical. Physical access control limits access to campuses, buildings, rooms and physical IT assets. Logical access control limits connections to computer networks, system files and data.

What are the components of RBAC? ›

The RBAC framework is centered on the following three core concepts: Authorizations. Roles.
Together, these concepts allow an RBAC system to enforce the least-privilege principle.
  • Authorizations. ...
  • Roles. ...
  • Privileges.

How do you check if RBAC is enabled? ›

You can check this by executing the command kubectl api-versions ; if RBAC is enabled you should see the API version . .

What are the six main categories of access control? ›

As noted above, the CISSP exam calls out six flavors of access control.
  • Mandatory Access Control (MAC) ...
  • Discretionary Access Control (DAC) ...
  • Role-Based Access Control (RBAC) ...
  • Rule-Based Access Control. ...
  • Attribute-Based Access Control (ABAC) ...
  • Risk-Based Access Control.

What is the best type of access control? ›

Role-Based Access Control (RBAC)

Role-based access control attributes permissions to a user based on their business responsibilities. As the most common access control system, it determines access based on your role in the company—ensuring lower-level employees aren't gaining access to high-level information.

What are RBAC features? ›

RBAC features and supporting policies

Before a user can be active in a role, that user must first have been authorized as a member of the role by a security administrator. RBAC provides administrators with the capability to place constraints on role authorization, role activation, and operation execution.

Is RBAC least privilege? ›

RBAC uses the security principle of least privilege. Least privilege means that a user has precisely the amount of privilege that is necessary to perform a job. Ordinary users have enough privilege to use their applications, check the status of their jobs, print files, create new files, and so on.

What are the advantages of RBAC over alternatives such as ACL? ›

However, RBAC has an overseeing administrator and provides a superior security control mechanism. Moreover, it serves a broad, company-wide security control. While ACL has the ability to grant write access to a file, it is incapable of determining how the file might be changed by a user.

What are the three types of roles in Cloud IAM? ›

Role types
  • Basic roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of IAM.
  • Predefined roles, which provide granular access for a specific service and are managed by Google Cloud.
  • Custom roles, which provide granular access according to a user-specified list of permissions.

What is azure equivalent of IAM? ›

Azure Active Directory (AD) is Microsoft's cloud-based identity and access management (IAM) service; it can be used to manage secure user sign-in to thousands of external services, such as Microsoft Office 365, the Azure portal, and other SaaS applications.

Which is more secure RBAC or ABAC? ›

The ABAC model's time-based rules prevent access to sensitive data at times it's not needed, thus preventing exfiltration and data breaches. Companies with a simple structure: When your organization's workgroups have a simple structure with few roles, RBAC is a better choice.

Is RBAC scalable? ›

Hence, roles are never constant in an organization. Although RBAC is scalable in theory, the amount of changes is difficult to manage and maintain. Forcing the model on the organization is not viable for a business to operate. It would then be the model adjusting to the business.

What is role-based access control RBAC )? Examples benefits and more? ›

Role-based access control (RBAC) allows permissions to be set as to who is authorised to access the various physical locations, systems, controls and assets of a business. Via individually assigned permissions, it is possible to restrict what a member of staff can access.

What are the disadvantages of RBAC? ›

Let's take a look at the main challenges of RBAC:
  • Problem 1: Role Explosion.
  • Problem 2: Security Risk Tolerance.
  • Problem 3: Scalability & Dynamism.
  • Problem 4: Expensive and Difficult Implementation.

What is advantage and disadvantages of RBAC? ›

Advantages and disadvantages of RBAC

Any modifications to the organizational structure or permissions are quickly applied to all employees when the company modifies the corresponding role. Reduced administration work: RBAC has rendered the time-consuming process of individually assigning permissions obsolete.

What is the difference between role vs rule based access control? ›

Rule-based access controls are preventative – they don't determine access levels for employees. Instead, they work to prevent unauthorized access. Role-based models are proactive – they provide employees with a set of circumstances in which they can gain authorized access.

How do I create a RBAC role in Azure? ›

In Azure RBAC, to grant access, you assign an Azure role.
  1. In the list of Resource groups, open the new example-group resource group.
  2. In the navigation menu, click Access control (IAM).
  3. Click the Role assignments tab to see the current list of role assignments.
  4. Click Add > Add role assignment.
Aug 21, 2022


1. Live: Azure Arc, management cross clouds and to on-prem
2. Managing Azure Role-Based Access Control (RBAC) - Azure Training
(Cloud Academy)
3. AZ 104 — Azure AD Roles vs RBAC
4. Overview of Azure Role Based Access Control (RBAC).
(The Journey of DevOps)
5. AZ-104 Exam EP 07: Azure Role-Bases Access Control
(A Guide To Cloud)
6. What is Azure role-based access control (RBAC)? | One Dev Question: Arturo Lucatero
(Microsoft Azure)


Top Articles
Latest Posts
Article information

Author: Kerri Lueilwitz

Last Updated: 09/06/2023

Views: 6101

Rating: 4.7 / 5 (67 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Kerri Lueilwitz

Birthday: 1992-10-31

Address: Suite 878 3699 Chantelle Roads, Colebury, NC 68599

Phone: +6111989609516

Job: Chief Farming Manager

Hobby: Mycology, Stone skipping, Dowsing, Whittling, Taxidermy, Sand art, Roller skating

Introduction: My name is Kerri Lueilwitz, I am a courageous, gentle, quaint, thankful, outstanding, brave, vast person who loves writing and wants to share my knowledge and understanding with you.