Azure Identity

Understanding Authorization in Azure

Introduction to Authorization

Authorization determines what actions an authenticated identity can perform on Azure resources. While authentication verifies who an identity is, authorization verifies what they are allowed to do. Azure provides a robust and flexible system for managing these permissions, ensuring that only the right people and services have access to the right resources.

The primary mechanism for managing authorization in Azure is Azure Role-Based Access Control (RBAC).

Azure Role-Based Access Control (RBAC)

Azure RBAC is a system that you use to manage access to Azure resources. It enables you to grant or deny specific permissions to users, groups, service principals, or managed identities. RBAC works by assigning roles to specific security principals at a given scope.

The three fundamental building blocks of RBAC are:

  • Security Principal: An object that requests access to an Azure resource. Examples include users, groups, service principals, and managed identities.
  • Role Definition: A collection of permissions. For example, a "Virtual Machine Contributor" role has permissions to manage virtual machines but not to delete them.
  • Scope: The set of resources to which the access applies. This can range from a subscription, resource group, or even a single resource.

Understanding Permissions

Permissions are the granular actions that can be performed on a resource. They are defined within role definitions. Examples of permissions include:

  • Microsoft.Compute/virtualMachines/read (Read virtual machines)
  • Microsoft.Storage/storageAccounts/write (Write to storage accounts)
  • Microsoft.Network/networkSecurityGroups/delete (Delete network security groups)

RBAC uses a deny-by-default model. This means that if a permission is not explicitly granted, it is denied.

Built-in vs. Custom Roles

Azure provides a set of built-in roles that cover common access needs. These include roles like:

  • Owner: Full access to all resources, including the right to delegate access to others.
  • Contributor: Can manage all types of Azure resources but cannot grant access to others.
  • Reader: Can view all Azure resources but cannot make any changes.
  • User Access Administrator: Can manage user access to Azure resources.

If the built-in roles do not meet your specific needs, you can create custom roles. Custom roles allow you to define a precise set of permissions tailored to your organization's requirements. This is crucial for implementing the principle of least privilege.

Role Assignments

A role assignment connects a security principal to a role definition at a specific scope. This is how access is granted.

"You assign roles at different levels. The most common scopes are subscription, resource group, and resource. For example, you can assign the Reader role to a user at the subscription scope, which means they can view everything in that subscription. Alternatively, you could assign the Contributor role to a service principal for a specific resource group, allowing it to manage resources only within that group."

Role assignments can be managed through the Azure portal, Azure CLI, Azure PowerShell, or programmatically via Azure SDKs and REST APIs.

Example using Azure CLI to assign a role:


az role assignment create --role "Reader" --assignee "user@example.com" --scope "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"

Best Practices for Authorization

To ensure secure and efficient management of access in Azure, consider these best practices:

  • Principle of Least Privilege: Grant only the permissions necessary to perform a task. Avoid assigning broad roles like Owner or Contributor unless absolutely required.
  • Use Groups: Assign roles to Azure AD groups rather than individual users. This simplifies management and reduces the overhead of managing individual assignments.
  • Leverage Managed Identities: For applications and services running in Azure, use managed identities to authenticate to other Azure services. This eliminates the need to manage credentials.
  • Regularly Review Access: Periodically review role assignments to ensure they are still appropriate and remove any unnecessary permissions.
  • Use Scopes Effectively: Assign roles at the most restrictive scope possible.