Microsoft

Azure Role-Based Access Control (RBAC)

Overview

Azure Role-Based Access Control (RBAC) is a fine‑grained authorization system that provides access management of Azure resources. RBAC enables you to assign permissions to users, groups, service principals, and managed identities at a specific scope: subscription, resource group, or individual resource.

az role assignment list --scope /subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

Key Concepts

Roles

A role is a collection of permissions. Azure provides built‑in roles (e.g., Owner, Contributor) and allows you to create custom roles for specific needs.

Scopes

Roles are assigned at a defined scope. Scopes are hierarchical, inheriting permissions from parent to child.

// Example scope hierarchy
/ (tenant)
 └─ /subscriptions/{subId}
     └─ /resourceGroups/{rgName}
         └─ /providers/Microsoft.Storage/storageAccounts/{accountName}

Built‑in Roles

Azure includes more than 70 built‑in roles. Below are the most common:

RoleDescription
OwnerFull access to all resources, including access management.
ContributorCreate and manage all types of Azure resources but cannot grant access to others.
ReaderView existing resources.
User Access AdministratorManage user access to Azure resources.

Custom Roles

Define a role tailored to your organization by specifying a set of actions. Use Azure CLI, PowerShell, or the portal.

{
  "Name": "Network Reader",
  "IsCustom": true,
  "Description": "Read network resources",
  "Actions": [
    "Microsoft.Network/*/read"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
  ]
}

Role Assignments

Assign a role to a security principal at a chosen scope.

Using Azure CLI

az role assignment create \
  --assignee user@example.com \
  --role "Network Reader" \
  --scope /subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/MyRG

Using PowerShell

New-AzRoleAssignment -ObjectId $sp.ObjectId `
    -RoleDefinitionName "Network Reader" `
    -Scope "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/MyRG"

Best Practices

  • Apply the principle of least privilege.
  • Use built‑in roles when possible.
  • Group users with Azure AD groups and assign roles to groups.
  • Regularly audit role assignments.
  • Leverage resource locks for critical resources.

Troubleshooting

If a principal cannot perform an expected action, verify the following:

  1. Confirm the role assignment exists at the correct scope.
  2. Check that the role includes the required actions.
  3. Ensure there are no deny assignments that override the role.
  4. Validate token cache – re‑authenticate if needed.

Diagnostic Command

az role assignment list --assignee user@example.com --all