Azure Role-Based Access Control (RBAC)

Azure Role-Based Access Control (RBAC) is the authorisation system that governs who can do what with Azure resources. It allows you to assign fine-grained permissions to users, groups, and service principals at various scopes within your Azure environment.

---

The Problem RBAC Solves

Without a structured authorisation system, managing access to cloud resources quickly becomes chaotic:

• Giving everyone full admin access is a security nightmare
• Managing individual permissions per user per resource does not scale
• Compliance and auditing become impossible without a clear model

RBAC solves these problems by combining roles (what you can do), security principals (who you are), and scopes (where you can do it).

---

The Three Elements of RBAC

1. Security Principal (Who)

A security principal is the entity requesting access. It can be:

Principal	Description
User	An individual with an account in Entra ID
Group	A set of users; all members inherit the assignment
Service principal	An identity used by an application or service
Managed identity	A special service principal managed automatically by Azure

2. Role Definition (What)

A role definition is a collection of permissions. It specifies which operations are allowed or denied. Each permission follows the format:

{Company}.{ResourceProvider}/{resourceType}/{action}

For example:

• Microsoft.Compute/virtualMachines/read — read VM properties
• Microsoft.Storage/storageAccounts/write — create or update storage accounts
• Microsoft.Authorization/roleAssignments/* — manage role assignments

Actions fall into four categories:

Category	Description
Actions	Control plane operations (manage resources)
NotActions	Excluded control plane operations
DataActions	Data plane operations (access data within a resource)
NotDataActions	Excluded data plane operations

3. Scope (Where)

A scope defines the boundary at which the role assignment applies. Azure scopes form a hierarchy:

Management Group
  └── Subscription
        └── Resource Group
              └── Resource

A role assigned at a higher scope is inherited by all child scopes. For example, a role assigned at the subscription level applies to every resource group and resource within that subscription.

---

Role Assignments

A role assignment binds together a security principal, a role definition, and a scope. This is the fundamental unit of access in Azure RBAC.

Role Assignment = Security Principal + Role Definition + Scope

Creating a Role Assignment in the Portal