This chapter covers Azure Role-Based Access Control (RBAC) role assignments at scale, a critical topic for the AZ-500 exam under Domain: Identity Access, Objective 1.1. You will learn how to design, implement, and manage RBAC assignments across large Azure environments, including best practices for using built-in and custom roles, scoping strategies, and automation. Approximately 15-20% of AZ-500 questions touch RBAC, making it one of the highest-weighted topics in the exam. Mastery of this chapter will help you answer scenario-based questions on least privilege, role assignment limits, and troubleshooting denied access.
Jump to a section
Imagine a large library with different sections: reference, children's, rare books, and digital archives. Each patron gets a library card (the security principal: user, group, or service principal). The card has no inherent permissions—it's just an ID. The library uses a centralized system where librarians (Azure RBAC) assign roles to cards. A role is like a job description: 'Shelf Organizer' can re-shelve books in any section but cannot check books out; 'Reference Librarian' can add new reference books and help patrons but cannot enter the rare books vault. These roles are assigned at a scope: the entire library (management group), a floor (subscription), or a single shelf (resource group). When a patron tries to enter the rare books section, the guard checks the card's roles at the rare books scope. If the card has 'Rare Books Access' assigned at the library level, entry is granted. If not, the guard checks parent scopes—if the card has 'Rare Books Access' at the floor scope, it applies to all shelves on that floor. This inheritance means a role assigned at a higher scope trickles down to all child scopes unless explicitly blocked (deny assignments). The guard never checks the card's identity alone—only the roles attached to it at the relevant scope. This is exactly how Azure RBAC works: role assignments are the binding between a principal, a role definition (set of actions), and a scope. Assignments are evaluated at the scope of the resource, with inheritance from higher scopes. Deny assignments override allow assignments, similar to a library rule that says 'No one, not even the director, may remove rare books from the building.'
What is Azure RBAC and Why It Exists
Azure RBAC is an authorization system built on Azure Resource Manager (ARM) that provides fine-grained access management for Azure resources. Unlike Azure Active Directory (Azure AD) authentication (who you are), RBAC controls authorization (what you can do). It is the primary mechanism for enforcing the principle of least privilege in Azure. The exam expects you to understand that RBAC is not a firewall or network control; it governs control-plane operations—actions performed via Azure Portal, Azure CLI, PowerShell, or REST API against the Azure Resource Manager endpoint. Data-plane operations (e.g., reading a blob in a storage account) require additional authorization mechanisms like storage account keys or Azure AD authentication with RBAC for data operations.
How RBAC Works Internally
Every RBAC decision involves three components: a security principal, a role definition, and a scope. When a principal makes a request to ARM, the authorization system evaluates all applicable role assignments. The evaluation process:
Collect assignments: ARM gathers all role assignments that include the principal (directly or via group membership) at the target resource's scope and all parent scopes (resource group, subscription, management group).
Calculate effective permissions: For each role definition, ARM extracts the Actions, NotActions, DataActions, and NotDataActions. The effective permissions are Actions - NotActions for each role, then combined across roles (union of allowed actions minus any deny assignments).
Deny assignments: Explicit deny assignments are evaluated last and override any allows. Deny assignments can be created by Azure Blueprints, Azure Policy, or custom deny assignments (via REST API or Azure CLI).
Match request action: ARM checks if the requested action (e.g., Microsoft.Compute/virtualMachines/read) is in the effective allowed set. If yes, access is granted; otherwise, denied.
Role assignments are stored in the ARM metadata store and replicated globally. There is no caching delay—changes are effective within a few minutes (typically 5 minutes, but can be up to 30 minutes in rare cases). The exam may test that role assignment changes are eventually consistent.
Key Components, Values, and Defaults
Security Principals:
User (Azure AD user)
Group (Azure AD security group or Microsoft 365 group)
Service Principal (application or managed identity)
Managed Identity (system-assigned or user-assigned)
Role Definitions:
Built-in roles: Over 70 roles, including Owner, Contributor, Reader, User Access Administrator, etc.
Custom roles: Defined by you with specific Actions, NotActions, DataActions, NotDataActions, and AssignableScopes. Custom roles can be created at subscription or management group scope only (not resource group).
Scopes:
Management Group (root or child)
Subscription
Resource Group
Individual Resource (e.g., a specific VM, storage account, etc.)
Role Assignment Limits:
Maximum 2,000 role assignments per subscription (including assignments at management group, subscription, resource group, and resource scopes). This is a soft limit and can be increased by support request.
Maximum 500 custom roles per tenant.
Maximum 100 role assignments at management group scope.
Maximum 100 role assignments at subscription scope (this is a limit on the number of assignments, not the number of principals).
Default Values:
No default role assignments are created automatically (except the tenant root group has default assignments for the Global Administrator and User Access Administrator roles).
When you create a new subscription, the creator gets the Owner role at the subscription scope.
Configuration and Verification Commands
Azure CLI:
# Create a role assignment
az role assignment create --assignee "user@contoso.com" --role "Contributor" --scope "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyRG"
# List role assignments for a user
az role assignment list --assignee "user@contoso.com" --all
# List role definitions
az role definition list --name "Contributor"
# Create a custom role
az role definition create --role-definition '{"Name": "Custom VM Operator", "Description": "Can manage VMs but not network", "Actions": ["Microsoft.Compute/virtualMachines/*", "Microsoft.Compute/disks/read"], "NotActions": ["Microsoft.Compute/virtualMachines/delete"], "AssignableScopes": ["/subscriptions/00000000-0000-0000-0000-000000000000"]}'PowerShell:
# Create a role assignment
New-AzRoleAssignment -SignInName "user@contoso.com" -RoleDefinitionName "Contributor" -ResourceGroupName "MyRG"
# Get role assignments
Get-AzRoleAssignment -SignInName "user@contoso.com"Azure Portal:
Navigate to the resource (or scope) -> Access control (IAM) -> Add role assignment.
To view effective permissions, use the "Check access" tab (for users) or "View my permissions" (for yourself).
How RBAC Interacts with Related Technologies
Azure Policy: Policy enforces rules on resource configurations (e.g., tags, locations). RBAC controls who can create or modify resources. They work together: a user with Contributor role can create a VM, but if a policy denies creation without a specific tag, the policy will block it.
Azure AD Privileged Identity Management (PIM): PIM provides just-in-time (JIT) activation of Azure AD roles (e.g., Global Administrator) and Azure RBAC roles (e.g., Contributor). PIM does not replace RBAC; it adds time-bound activation and approval workflows for role assignments.
Azure Blueprints: Blueprints can create role assignments as part of blueprint artifacts. These assignments are treated as regular RBAC assignments but can be locked (deny assignments) to prevent modification.
Azure Resource Manager Locks: Locks (ReadOnly or Delete) are not RBAC—they are a separate system that prevents all users (including Owner) from deleting or modifying a resource. Locks override RBAC permissions.
Trap Patterns for the Exam
Inheritance confusion: Candidates often think a role assigned at a resource group applies to resources in that group but NOT to the resource group itself. Actually, it applies to the resource group and all resources within it (because the resource group is a parent scope). But a role assigned at the resource scope does NOT apply to the resource group.
Data vs Control Plane: Many candidates mistakenly believe RBAC controls access to data within a resource (e.g., reading a blob). For storage, you need separate RBAC roles for data operations (e.g., Storage Blob Data Reader) or use access keys. The exam will test this distinction.
Deny assignments override: A deny assignment created by Azure Policy (e.g., policy with 'Deny' effect) cannot be overridden by any role assignment, even Owner. Candidates may think Owner can bypass policy.
Role assignment limits: The 2,000 assignments per subscription limit catches many off guard. They may think it's per resource group or per user.
Custom role scope restriction: Custom roles can only be created with AssignableScopes at management group or subscription level (not resource group). This is a common wrong answer on the exam.
Advanced: Role Assignment at Scale
In large enterprises, manually assigning roles to individual users is impractical. Best practices include:
Use Azure AD groups for role assignments: assign the role to a group, then manage group membership. This allows centralized management and reduces the number of role assignments.
Use PIM for privileged roles: activate roles only when needed.
Use Azure Policy to audit role assignments: create a policy that audits the existence of certain role assignments (e.g., no Owner assignments at subscription scope except for break-glass accounts).
Use automation (Azure CLI, PowerShell, or ARM templates) to deploy role assignments consistently across environments.
For example, to assign the Reader role to a group at multiple subscriptions, you could loop through subscriptions with a script:
subscriptions=$(az account list --query "[].id" -o tsv)
for sub in $subscriptions; do
az role assignment create --assignee "group-id" --role "Reader" --scope "/subscriptions/$sub"
doneAzure also supports Azure Lighthouse for managing RBAC across tenants (e.g., managed service providers).
Identify Security Principal
Determine the security principal that needs access. This could be a user, a group (Azure AD security group or Microsoft 365 group), a service principal (application), or a managed identity. For large-scale deployments, always prefer groups over individual users to minimize the number of role assignments and simplify management. For example, create an 'Engineering-Contributors' group and assign the Contributor role to that group at the subscription scope. Then add or remove users from the group as needed. The exam will test that using groups reduces the number of role assignments and helps avoid hitting the 2,000 assignment limit.
Select Role Definition
Choose the appropriate built-in or custom role that grants the minimum required permissions. Start with built-in roles (Reader, Contributor, Owner) and only create custom roles if necessary. Custom roles require careful definition of Actions and NotActions. Remember that custom roles can only be defined with AssignableScopes at management group or subscription scope (not resource group). The exam often presents scenarios where a custom role is needed because no built-in role provides exactly the required permissions. For example, a role that allows starting/stopping VMs but not deleting them would require a custom role.
Define Scope
Specify the scope at which the role assignment applies: management group, subscription, resource group, or individual resource. The scope determines inheritance. A role assigned at a management group applies to all child management groups, subscriptions, resource groups, and resources. A role assigned at a subscription applies to all resource groups and resources in that subscription. A role assigned at a resource group applies to that resource group and all resources within it, but not to the subscription. A role assigned at a resource applies only to that resource. The exam will test that you understand inheritance and that you can choose the correct scope to achieve least privilege without creating excessive assignments.
Create Role Assignment
Use Azure Portal, Azure CLI, PowerShell, or ARM template to create the role assignment. The command binds the principal, role, and scope. For example, using CLI: `az role assignment create --assignee <object-id> --role "Contributor" --scope "/subscriptions/<sub-id>/resourceGroups/MyRG"`. After creation, the assignment is stored in ARM and replicated. Changes are eventually consistent within 5 minutes (up to 30 minutes). The exam may ask about the propagation delay. Also, note that you cannot create a role assignment for a principal that does not exist in Azure AD (e.g., a user from another tenant unless guest invited).
Verify and Audit
After creating the assignment, verify it using the 'Check access' blade in the Azure Portal or by running `az role assignment list --assignee <user> --all`. Audit existing assignments regularly using Azure Policy or Azure Monitor. For example, you can create a policy that audits whether there are any Owner assignments at subscription scope (except for emergency accounts). The exam may test that you can use the 'Effective permissions' tab to see what a user can actually do, considering inheritance and deny assignments. Also, remember that role assignments are not automatically removed when a user leaves; you must manually delete them.
Enterprise Scenario 1: Large Enterprise with Hundreds of Subscriptions
A multinational company with 500 subscriptions uses Azure RBAC to manage access. They create a management group hierarchy: Root -> Business Units (e.g., Finance, Engineering) -> Departments -> Subscriptions. They assign the Reader role to a central audit group at the Root management group so auditors can read all resources across the entire tenant. They assign Contributor to development teams at their respective department management groups. This reduces the total number of role assignments from potentially thousands to a few hundred. However, they must be careful: assigning a role at a high scope grants permissions to all child subscriptions, which may violate least privilege. They mitigate by using Azure Policy to deny certain actions even for Contributors (e.g., deny creation of public IPs). They also use PIM for privileged roles like Owner at the subscription scope, requiring approval for activation.
Enterprise Scenario 2: Managed Service Provider (MSP) Using Azure Lighthouse
An MSP manages multiple customer tenants. They use Azure Lighthouse to delegate access to customer subscriptions. For each customer, they create a role assignment at the subscription scope using the built-in 'Managed Services Registration Assignment Delete' role (which allows managing delegated resources). They assign this role to a group in the MSP's tenant that contains their engineers. This allows engineers to manage customer resources without needing separate accounts in each customer tenant. The key challenge is tracking which customers have delegated which subscriptions. They use Azure Policy to audit that only approved groups have the delegated role. Misconfiguration often occurs when the MSP assigns the Owner role instead of a more limited role, giving themselves excessive permissions.
Enterprise Scenario 3: Automation with Managed Identities
A company runs a microservices application on Azure Kubernetes Service (AKS). Each microservice needs to access specific Azure resources (e.g., a storage account or Key Vault). They assign a user-assigned managed identity to each pod (via AKS pod identity) and then create RBAC role assignments for that managed identity at the resource scope (e.g., Storage Blob Data Contributor on a specific storage account). This avoids storing credentials in code. A common mistake is assigning the managed identity a broad role like Contributor at the subscription scope, which violates least privilege. Instead, they create custom roles with only the necessary data actions (e.g., Microsoft.Storage/storageAccounts/blobServices/containers/read). Performance is not an issue because RBAC evaluation is fast, but they must ensure the managed identity's role assignment exists before the pod starts. They automate role assignment creation using Terraform or ARM templates as part of the infrastructure deployment.
What AZ-500 Tests on This Topic
AZ-500 Objective 1.1: 'Manage access control in Azure' includes RBAC role assignments. The exam tests:
Understanding of scope inheritance and effective permissions.
Ability to create custom roles with correct Actions/NotActions.
Knowledge of role assignment limits (2,000 per subscription, 500 custom roles per tenant).
Distinction between RBAC (control plane) and data-plane authorization.
Use of Azure AD groups for role assignments to reduce administrative overhead.
Integration with PIM for just-in-time access.
Deny assignments and how they override role assignments.
Common Wrong Answers and Why Candidates Choose Them
'Assign the Owner role to a user at the resource group scope to allow them to manage resources but not delete the resource group.' Wrong because Owner can delete the resource group. The correct role would be Contributor (or custom). Candidates confuse Owner with Contributor.
'You can create a custom role with AssignableScopes at the resource group scope.' Wrong because custom roles must be assignable at management group or subscription scope. Candidates think they can limit custom role availability to a resource group.
'Role assignments take effect immediately.' Wrong because they are eventually consistent; the exam says 'up to 5 minutes' or 'up to 30 minutes'. Candidates assume instant propagation.
'RBAC controls access to data within a storage account.' Wrong unless using the specific data roles (Storage Blob Data Owner, etc.). Candidates confuse control plane (management) with data plane.
Specific Numbers and Terms That Appear Verbatim
2,000 role assignments per subscription.
500 custom roles per tenant.
100 role assignments at management group scope.
5 minutes typical propagation, up to 30 minutes.
Built-in roles: Owner, Contributor, Reader, User Access Administrator, etc.
Custom role properties: Actions, NotActions, DataActions, NotDataActions, AssignableScopes.
Edge Cases and Exceptions
Classic administrators: Co-Administrator and Service Administrator are legacy roles that grant full access. They are not managed via RBAC and can only be changed in the classic portal or via Azure AD.
Root management group: The root management group has default assignments for Global Administrators and User Access Administrators. These cannot be removed but can be overridden by deny assignments.
Role assignments for service principals: If a service principal is deleted and recreated (same app ID but new object ID), existing role assignments become orphaned. You must reassign.
Cross-tenant assignments: RBAC assignments can only be made for principals within the same tenant (or guest users from another tenant). For cross-tenant management, use Azure Lighthouse.
How to Eliminate Wrong Answers
If a question asks about granting permissions to read a blob, the answer must involve a data role (Storage Blob Data Reader) or a storage account key. Any answer that only mentions Contributor or Reader is wrong.
If a question mentions 'least privilege' and 'manage VMs but not delete', eliminate Owner and Contributor. Look for a custom role that includes start/stop/restart but excludes delete.
If a question asks about reducing the number of role assignments, the answer should involve using Azure AD groups or assigning roles at higher scopes (e.g., management group).
If a question involves deny assignments, remember that deny always wins, even over Owner.
Azure RBAC is an authorization system for control-plane operations via Azure Resource Manager.
A role assignment binds a security principal (user, group, service principal, managed identity) to a role definition at a scope.
Role definitions consist of Actions, NotActions, DataActions, and NotDataActions.
Inheritance flows from management group down to resource. A role assigned at a parent scope applies to all child scopes.
Deny assignments override any allow assignments, even Owner.
Maximum 2,000 role assignments per subscription (soft limit).
Maximum 500 custom roles per tenant.
Custom roles can only be created with AssignableScopes at management group or subscription scope.
Use Azure AD groups for role assignments to reduce administrative overhead and stay within limits.
RBAC changes are eventually consistent, typically within 5 minutes (up to 30).
Data-plane operations require separate RBAC roles with DataActions (e.g., Storage Blob Data Reader) or resource-specific authentication.
Azure Policy can deny actions even if RBAC allows them; deny always wins.
These come up on the exam all the time. Here's how to tell them apart.
Azure RBAC
Controls who can perform actions on resources (authorization).
Role assignments are principal-role-scope bindings.
Inherits downward from higher scopes.
Effective permissions are union of all allowed roles minus denies.
Used for access control and least privilege.
Azure Policy
Controls what resource configurations are allowed (compliance).
Policy definitions contain rules (if-then) applied to resource types.
Inherits downward (assign to scope, applies to all child resources).
Policy effects (Deny, Audit, Append, etc.) are evaluated during resource creation/update.
Used for governance, tagging, location restrictions, etc.
Azure RBAC (Control Plane)
Authorizes management operations via ARM (e.g., create VM).
Uses built-in or custom roles with Actions/NotActions.
Scoped to management group, subscription, resource group, or resource.
Does not require Azure AD token for data access.
Example: Contributor role allows creating a storage account.
Azure AD Authentication for Data Plane
Authorizes data operations (e.g., read blob, write to SQL database).
Uses RBAC roles with DataActions (e.g., Storage Blob Data Reader).
Scoped to individual resource (e.g., storage account).
Requires Azure AD authentication (OAuth2 token).
Example: Storage Blob Data Contributor allows reading/writing blobs.
Mistake
RBAC permissions are inherited from resource to resource group.
Correct
Inheritance flows downward: from management group to subscription to resource group to resource. A role assigned at a resource group applies to all resources in that group, but a role assigned at a resource does NOT apply to the resource group or any other resource.
Mistake
Custom roles can be created at any scope.
Correct
Custom roles can only be created with AssignableScopes at management group or subscription scope. They cannot be created at resource group or resource scope. However, once created, they can be assigned at any scope that is within the AssignableScopes.
Mistake
The Owner role can do everything, including bypassing Azure Policy.
Correct
Azure Policy with 'Deny' effect blocks all users, including Owner. Only Azure Policy itself can override its own deny effect. Owner cannot delete a resource if a policy denies deletion.
Mistake
Role assignments are always effective immediately.
Correct
RBAC changes are eventually consistent. They typically propagate within 5 minutes but can take up to 30 minutes. The exam expects you to know this delay.
Mistake
RBAC controls access to data inside a storage account (e.g., reading a blob).
Correct
By default, RBAC only controls management-plane operations (e.g., creating a storage account). To control data-plane operations, you must use Azure AD authentication with specific data roles (e.g., Storage Blob Data Reader) or use access keys.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure AD roles (e.g., Global Administrator) manage access to Azure AD resources (users, groups, etc.) and are assigned at the tenant level. Azure RBAC roles manage access to Azure resources (VMs, storage, etc.) and are assigned at a specific scope (management group, subscription, resource group, or resource). They are separate systems, though Azure AD roles like Global Administrator have some Azure RBAC permissions by default (e.g., full access to all subscriptions). For the exam, remember that Azure AD roles are for identity management, while Azure RBAC is for resource management.
The maximum is 2,000 role assignments per subscription. This includes assignments at the management group, subscription, resource group, and resource scopes. If you need more, you can request a limit increase via Azure support. To avoid hitting this limit, use Azure AD groups and assign roles to groups rather than individual users. Also, consider assigning roles at higher scopes (e.g., management group) to reduce the number of assignments.
No. Custom roles must have AssignableScopes set to management group or subscription scope. They cannot be scoped to a resource group or resource. However, you can restrict who can assign the role by using Azure AD Privileged Identity Management (PIM) or by limiting the role assignment itself to a specific scope. For example, you can create a custom role at subscription scope and then assign it only to a particular resource group.
Assign the Reader role at the storage account scope. The Reader role includes Microsoft.Storage/storageAccounts/read but does not include any DataActions. To read blobs, the user would need a data role like Storage Blob Data Reader. So with only Reader, they can see the storage account properties but cannot access blob data. This is a common exam scenario: distinguishing between control-plane and data-plane permissions.
The user loses the permissions granted by that role assignment. Azure RBAC evaluates group membership at the time of access. There is no caching of group membership beyond the typical propagation delay (up to 5 minutes). So removing a user from a group effectively revokes their access after propagation. This is why using groups is recommended—it simplifies permission management.
No, Azure Policy cannot create role assignments. Policy can audit existing assignments or deny actions, but it cannot create assignments. To automate role assignments, use Azure Blueprints (which can include role assignment artifacts), ARM templates, Azure CLI, PowerShell, or Terraform. Azure Policy can be used to enforce that certain role assignments exist (via audit or deployIfNotExists effect), but the actual creation is done by other tools.
A deny assignment explicitly denies specific actions, overriding any allow. It is created by Azure Policy (with 'Deny' effect) or Azure Blueprints (with locking). NotActions in a role definition are subtractive: they remove specific actions from the allowed set of that role. But another role assignment could still allow those actions. Deny assignments are absolute and cannot be overridden by any allow. For example, if a role has Microsoft.Compute/virtualMachines/delete in NotActions, that role cannot delete VMs, but if the user also has another role that allows delete, they can. A deny assignment would block delete regardless of other roles.
You've just covered Azure RBAC Role Assignments at Scale — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?