Microsoft Docs

Introduction to Role Assignments

Azure role assignments are the mechanism used to grant access to Azure resources. They are a fundamental part of Azure's security model, allowing you to control who can do what on which resources.

A role assignment consists of three elements:

• Security Principal: The identity to which access is granted (e.g., a user, group, service principal, or managed identity).
• Role Definition: A collection of permissions that defines what actions can be performed on resources. Azure has built-in roles (e.g., Owner, Contributor, Reader) and allows you to create custom roles.
• Scope: The set of resources over which the access applies (e.g., a subscription, resource group, or individual resource).

Understanding Role-Based Access Control (RBAC)

Azure RBAC is the system that manages access to Azure resources. It works by associating roles with users, groups, service principals, or managed identities at a particular scope. This ensures that users have only the permissions they need to perform their jobs.

Key concepts in RBAC:

• Permissions: Specific operations that can be performed, such as reading a virtual machine or creating a storage account.
• Roles: Collections of permissions. Built-in roles are curated by Microsoft, while custom roles can be created for more granular control.
• Scope: The level at which access is granted. This can be set at various levels, from the entire subscription down to a single resource.

Common Built-in Roles:

Creating Role Assignments

Role assignments can be created using the Azure portal, Azure CLI, Azure PowerShell, or REST APIs.

Using the Azure Portal:

1. Navigate to the resource, resource group, or subscription where you want to grant access.
2. In the left-hand menu, select Access control (IAM).
3. Click Add, then select Add role assignment.
4. Choose the role you want to assign from the list.
5. Select the members (users, groups, service principals) who will be assigned the role.
6. Click Save.

Using Azure CLI:

az role assignment create --role "Reader" --assignee "user@example.com" --scope "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup"

Using Azure PowerShell:

New-AzRoleAssignment -SignInName "user@example.com" -RoleDefinitionName "Reader" -Scope "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup"

Managing Role Assignments

Once role assignments are created, you can view, modify, or delete them. The Access control (IAM) blade in the Azure portal is the primary interface for managing these assignments.

You can filter role assignments by role, assignee, or scope to quickly find specific permissions.

Best Practices for Role Assignments

• Principle of Least Privilege: Grant only the necessary permissions for users and applications to perform their tasks. Avoid assigning overly broad roles like Owner or Contributor unless absolutely required.
• Use Groups: Assign roles to Azure AD groups rather than individual users. This simplifies management by allowing you to manage membership in the group.
• Scope Appropriately: Assign roles at the narrowest possible scope. For example, if a user only needs access to a specific resource group, assign the role at that resource group level, not at the subscription level.
• Regular Reviews: Periodically audit and review role assignments to ensure they are still relevant and compliant with security policies.
• Use Built-in Roles First: Leverage Azure's built-in roles whenever possible. Create custom roles only when existing roles do not meet your specific requirements.
• Secure Service Principals: Treat service principals with sensitive permissions as credentials and manage them securely.