Azure Fundamentals (AZ-900)

Last Updated: 1/10/2023

Azure Role Based Access Control

  • The principle of least privilege says you should only grant access up to the level needed to complete a task.
  • Instead of defining the detailed access requirements for each individual, and then updating access requirements when new resources are created or new people join the team, Azure enables you to control access through Azure role-based access control (Azure RBAC).
  • Azure provides built-in roles that describe common access rules for cloud resources.
  • You can also define your own roles.
  • Each role has an associated set of access permissions that relate to that role. When you assign individuals or groups to one or more roles, they receive all the associated access permissions.

Role-based access control to resources

  • Role-based access control is applied to a scope, which is a resource or set of resources that this access applies to.
  • Scopes include:
    • A management group (a collection of multiple subscriptions).
    • A single subscription.
    • A resource group.
    • A single resource.
  • Observers, users managing resources, admins, and automated processes illustrate the kinds of users or accounts that would typically be assigned each of the various roles.
  • Azure RBAC is hierarchical, in that when you grant access at a parent scope, those permissions are inherited by all child scopes. For example:
    • When you assign the Owner role to a user at the management group scope, that user can manage everything in all subscriptions within the management group.
    • When you assign the Reader role to a group at the subscription scope, the members of that group can view every resource group and resource within the subscription.

Enforce Azure RBAC

  • Azure RBAC is enforced on any action that's initiated against an Azure resource that passes through Azure Resource Manager. Resource Manager is a management service that provides a way to organize and secure your cloud resources.
  • You typically access Resource Manager from the Azure portal, Azure Cloud Shell, Azure PowerShell, and the Azure CLI.
  • Azure RBAC doesn't enforce access permissions at the application or data level.
  • Application security must be handled by your application.
  • Azure RBAC uses an allow model. When you're assigned a role, Azure RBAC allows you to perform actions within the scope of that role. If one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you have both read and write permissions on that resource group.
Previous
Next