What is Role Based Access Control?

Role-based access control (RBAC) facilitates Microsoft Azure delegated resource administration. It helps you manage who has access to Azure resources. In other words, it means you can have an IT administrator that have access to only the resources they should have access to, for instance managing a virtual machine or a service desk employee who should be able to reset user passwords and manage groups in Active Directory.

The way it works

The way RBAC works is that roles is organized related to resource permissions, for instance a virtual machine contributor have access to manage virtual machines, or a Storage Blog Data reader have only read access to Azure Storage blob containers and data. In Azure there are more than 60 built-in role definitions, these roles vary depending on the specific resource. For instance, Storage Accounts have roles that differ from virtual machine instances.

Custom Roles

You can also create your own custom role if the 60 built-in roles doesn’t suit your needs. A best practice when creating custom roles is to modify an already existing role with the adjustments needed. Custom roles can be created with PowerShell, Azure CLI and REST API. After the creation, it will be added to the same drop-down list in the Azure Portal as the built-in roles, or in the list from a command line interface.

Where can you apply RBAC?

The RBAC permission can be applied to the following scopes:

  • Management groups
  • Subscriptions,
  • Resource Groups,
  • Individual resources

To whom can you apply RBAC?

RBAC can be assigned to:

  • Users
  • Groups
  • Service Principles

RBAC Inheritance

If you give a user access to a subscription, the user will have access to all resource groups and all individual resources within the subscriptions, so it is important to give the right permissions at the right level if you want users to only have access to a specific level. The best practice rule is to give the user the least privilege to get their work done, often can this be per resource group level.

Default roles in Azure

As mentioned above, Azure includes several built-in roles that you can use. The list below contains a list of the four fundamental built-in roles and few other role specific roles.

  • Owner – Lets you manage everything, including access to resources.
  • Contributor – Manage resources but not resource access.
  • Reader – Lets you view everything, but not make any changes.
  • User Access Administrator – Lets you manage user access to Azure resources.
  • Storage Blog Data Reader – Specific to storage accounts.
  • Backup Operator – Lets you manage backup services, except removal of backup, vault creation and giving access to others.
  • Virtual Machine Contributor – Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they’re connected to.

Find the Azure built-in and custom roles

If you want to find all built-in and custom roles you can run the cmdlet below. This will find each role with a description and save it to a text file. In my case, I saved it to the C:\temp folder, you can also specify your own desired path. It can be useful if you want to lookup or search for different roles available.

# Listing a role definition in the PowerShell Window
PS C:\>Get-AzRoleDefinition | Format-Table Name, Description

# Outputting role definitions to a text file
PS C:\>Get-AzRoleDefinition | Format-Table Name, Description > "C:\temp\AzureRoleDefinistion.txt"

# Open the text file by opening the file in Notepad
PS C:\>Notepad "C:\temp\AzureRoleDefinistion.txt"