How to Use Azure Role Based Access Control

When it comes to Azure Security there are several options available, in this blog post I’ll cover Role Based Access Control (RBAC for short).

RBAC is about giving access to Azure resources at a granular level, you can give access to the Subscription all the way down to just a single resource within a subscription. This is perfect if you have the scenario where you have a lot of Azure resources and you may just want to give someone access to just a Virtual Machine or maybe just read-only access to say a storage account.

Azure has built in Roles which you can assign to users, the most common of these roles are as follows: –

  • Owner – Has full access to all resources including the right to delegate access to others.
  • Contributor – Can create and manage all types of Azure resources but can’t grant access to others.
  • Reader – Can view existing Azure resources.
  • User Access Administrator – Lets you manage user access to Azure resources.

You can also create your own custom roles which can be made of different access.

RBAC works when assigned against what’s known as a Security Principal in other words a User, Group, Service Principal or a Managed Identity.

RBAs is made of role definitions and these have action which are assigned to the role definition, an example of this would be say Billing Reader, this allows the user read access to Billing Data. The list of roles are seen below: –



The last thing we need to touch on is the Scope that the RBAC can be assigned, this can take the form of the following: –

  • Management Group Level
  • Subscription Level
  • Resource Group Level
  • Resource Level

At work we normally give people in the project Contributor access to a Resource Group or Groups and normally one, maybe two at most are Owners of the Subscription. If we wish to give some one read-only access to view resources then we make them a Reader.

If we are working on a project and want to give a new dev Contributor access to a Resource Group, then I would log in as an Owner and then find the subscription, chose the subscription and then select Access Control (IAM), and then Add a Role Assignment.

You can also setup alerts when an Owner gives some other user access to your Azure resources if required.