Azure Role Based Access Control RBAC
Prakash Agrawal- In the contemporary landscape of cloud computing, effective access management is crucial for maintaining security and operational efficiency. Microsoft provides two primary frameworks for role-based access control: Azure Role-Based Access Control (Azure RBAC) and Microsoft Entra ID roles. While both are designed to manage permissions, they operate within distinct scopes and serve different purposes. This article offers an in-depth comparison of these two systems, elucidating their functionalities, inherent roles, procedures for creating custom roles, and methodologies for role assignment.
Azure Role-Based Access Control (Azure RBAC)
Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. It enables administrators to control user actions at different scopes, including:
Management Group: A collection of multiple subscriptions.
Subscription: An individual Azure subscription.
Resource Group: A container that holds related resources for an Azure solution.
Resource: A specific Azure resource, such as a virtual machine or database.
Built-in Azure Roles
Azure RBAC offers over 120 built-in roles to address common access needs. Some of the primary roles include:
Owner: Grants full access to all resources, including the authority to delegate access to others.
Contributor: Permits creation and management of all types of Azure resources but does not allow assigning roles to others.
Reader: Provides read-only access to existing Azure resources.
User Access Administrator: Enables management of user access to Azure resources.
Custom Role Creation
When built-in roles do not align with specific organizational requirements, Azure RBAC allows for the creation of custom roles. A custom role is defined by a collection of permissions that specify allowed and disallowed actions:
Actions: Operations that the role permits.
NotActions: Operations explicitly excluded from the role.
DataActions: Data operations permitted by the role.
NotDataActions: Data operations explicitly excluded from the role.
For instance, a custom role might allow users to read and write to a storage account but prohibit them from deleting it.
Role Assignment in Azure RBAC
Assigning a role in Azure RBAC involves three key components:
Security Principal: The entity (user, group, service principal, or managed identity) receiving the access.
Role Definition: The set of permissions (built-in or custom) to be granted.
Scope: The level at which access is applied (management group, subscription, resource group, or resource).
Steps to Assign a Role in Azure
Identify the Appropriate Scope: Determine the level (management group, subscription, resource group, or resource) at which the role should be assigned.
Select the Role Definition: Choose a suitable built-in role or create a custom role that aligns with the required permissions.
Assign the Role: Utilize the Azure portal, Azure CLI, or Azure PowerShell to assign the selected role to the specified security principal at the determined scope.
Microsoft Entra ID Roles
Scope and Focus
Microsoft Entra ID roles are utilized to manage access to directory-level resources within Microsoft Entra ID, formerly known as Azure Active Directory. These roles are essential for administrative tasks related to identity and access management, with a scope that typically encompasses the entire tenant. This means that assigned permissions apply across all services and resources within the tenant.
Built-in Entra ID Roles
Microsoft Entra ID provides a variety of built-in roles tailored for specific administrative functions, including:
Global Administrator: Possesses unrestricted access to all administrative features in Microsoft Entra ID.
User Administrator: Manages user accounts and groups, including the ability to reset passwords.
Compliance Administrator: Oversees compliance-related features and settings.
Security Reader: Grants read-only access to security-related features and reports.
Custom Role Creation
Entra ID supports the creation of custom roles to meet specific organizational needs. Creating a custom role involves:
Defining Permissions: Specify the exact permissions required.
Creating the Role: Use the Entra admin center or Microsoft Graph API to create the role.
Assigning the Role: Assign the custom role to users or groups.
Role Assignment in Entra ID
Assigning roles in Entra ID can be done directly to users or to groups that are enabled for role assignment. The process involves:Microsoft Learn
Selecting the User or Group: Choose the entity to receive the role.
Choosing the Role: Select from built-in or custom roles.
Assigning the Role: Use the Entra admin center or Microsoft Graph API to assign the role.
Key Differences Between Azure RBAC and Entra ID Roles
| Feature | Azure RBAC | Microsoft Entra ID Roles |
| Scope | Resource-level (management group to resource) | Tenant-level |
| Primary Use | Managing access to Azure resources | Managing access to directory-level resources |
| Built-in Roles | Owner, Contributor, Reader, etc. | Global Admin, User Admin, Compliance Admin, etc. |
| Custom Roles | Supported with fine-grained permissions | Supported with directory-level permissions |
| Assignment to Groups | Supported | Supported with role-assignable groups |
About me: I am an independent Cloud Architect and technical writer. If you are an organization that want to hire me then I can be contacted at techonlinewriter@gmail.com
Subscribe to my newsletter
Read articles from Prakash Agrawal directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by