This chapter covers Azure Role-Based Access Control (RBAC), a fundamental authorization system that grants fine-grained access to Azure resources. RBAC is a core component of Azure identity and security, and understanding it is essential for the AZ-900 exam. This objective area (Manage Azure identities and governance) carries approximately 20-25% of the exam weight, and RBAC questions appear frequently. By the end of this chapter, you will understand how RBAC works, its components, best practices, and common exam traps.
Jump to a section
Imagine you manage a large office building with multiple floors, each floor containing different departments. You want to control who can enter which areas. Instead of giving every employee a master key that opens every door, you issue each person a programmable access card. The card itself doesn't contain permissions; it just has a unique ID. When an employee swipes their card at a door, a central security system checks a list: 'Card 1234 is allowed to enter Floor 2, Room 5 between 9 AM and 5 PM.' The list is managed by a security administrator who assigns roles like 'Finance Team' or 'IT Support' to groups of employees, and then grants those roles access to specific doors. If an employee is promoted, the admin simply changes their role in the central system—no need to reprogram the card. This is exactly how Azure RBAC works: Azure AD is the card system, the role assignment is the access list, and the card is the user's identity token. The key mechanism is that permissions are never stored on the user; they are evaluated at runtime against a central policy. This means you can revoke access instantly by removing the role assignment, without touching the user's device. The building analogy breaks down if you think each card has permissions embedded—Azure RBAC always checks the policy in real time.
What is Role-Based Access Control (RBAC)?
Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management for Azure resources. It allows you to grant users, groups, service principals, or managed identities exactly the permissions they need to perform their jobs, following the principle of least privilege. RBAC is not about authentication (verifying who you are); it's about authorization (what you are allowed to do). On the AZ-900 exam, you must understand the difference: Azure AD handles authentication, while RBAC handles authorization.
The Business Problem RBAC Solves
Before RBAC, managing permissions in Azure was cumbersome. Administrators had to either grant full contributor access to everyone (too permissive) or manage access individually using resource-specific access control lists (ACLs) that were inconsistent across services. RBAC provides a unified, role-based model that works across all Azure services (except some data plane operations like blob storage, which use separate authorization). For example, a company might have a team of developers who need to create and manage virtual machines but should not be able to delete the resource group. With RBAC, you assign the 'Virtual Machine Contributor' role to the team at the resource group scope, giving them exactly the needed permissions.
How RBAC Works: The Mechanism Step by Step
Security Principal: A user, group, service principal, or managed identity that requests access to an Azure resource. This is the 'who'.
Role Definition: A collection of permissions, usually called 'actions' (allow) and 'not actions' (deny), written in JSON. For example, the 'Contributor' role includes the action 'Microsoft.Compute/virtualMachines/write' which allows creating or updating VMs.
Scope: The set of resources that the role applies to. Scopes are hierarchical: management group, subscription, resource group, or individual resource. Permissions are inherited from parent to child scopes.
Role Assignment: The process of attaching a role definition to a security principal at a particular scope. This is the actual 'granting' of access. When you assign a role, Azure stores the assignment in Azure Resource Manager and evaluates it at runtime whenever the principal makes a request.
When a security principal attempts to perform an action (e.g., create a VM), Azure Resource Manager checks all role assignments that apply to that principal (including group memberships) at the scope of the target resource. If any assignment includes the required action, the request is allowed. If multiple assignments deny the action, deny takes precedence (explicit deny overrides allow).
Key Components of RBAC
- Built-in Roles: Azure provides over 70 built-in roles, such as Owner, Contributor, Reader, User Access Administrator, and service-specific roles like Virtual Machine Contributor. The most common roles for AZ-900 are: - Owner: Full access to all resources, including the right to delegate access to others. - Contributor: Can create and manage resources but cannot grant access to others. - Reader: Can view resources but cannot make changes. - User Access Administrator: Can manage user access to resources (useful for delegating RBAC management). - Custom Roles: If built-in roles don't meet your needs, you can create custom roles with specific actions. Custom roles are defined in JSON and can be scoped to a subscription or management group. - Azure AD vs. RBAC: Azure AD is the identity provider (authentication); RBAC uses Azure AD objects as security principals but is separate. You can have a user in Azure AD but no RBAC permissions, meaning they can log in but cannot see any resources.
RBAC vs. On-Premises Equivalent
On-premises, you might use Active Directory Domain Services (AD DS) with group policies and ACLs. AD DS uses a flat permission model where permissions are often set directly on files or folders using NTFS permissions. In contrast, Azure RBAC is centralized, role-based, and scoped to Azure resources. RBAC is also more granular: you can grant 'read' access to all VMs in a resource group without affecting other resource types. On-premises, you would need to set ACLs on each VM or use group policies, which is more complex and less flexible. RBAC also supports 'deny assignments' (explicit deny), which are rare in on-premises environments.
Azure Portal and CLI Touchpoints
You can manage RBAC through the Azure portal, Azure CLI, PowerShell, or REST API. In the portal, navigate to any resource, subscription, or resource group, then select 'Access control (IAM)'. Here you can view role assignments, add new ones, or check effective permissions. Using Azure CLI, common commands include:
# Assign the 'Reader' role to a user at the subscription scope
az role assignment create --assignee "user@contoso.com" --role "Reader" --scope "/subscriptions/12345678-1234-1234-1234-123456789abc"
# List all role assignments for a user
az role assignment list --assignee "user@contoso.com"
# Create a custom role
az role definition create --role-definition '{"Name": "My Custom Role", "Description": "Can read and write VMs", "Actions": ["Microsoft.Compute/virtualMachines/*"], "AssignableScopes": ["/subscriptions/12345678-1234-1234-1234-123456789abc"]}'Deny Assignments
A deny assignment is a special type of role assignment that explicitly denies actions, even if a role assignment allows them. Deny assignments are created by Azure Blueprints or managed applications, and they take precedence over all allow assignments. For example, if you assign a deny assignment that denies 'Microsoft.Compute/virtualMachines/write', no user can create or modify VMs, even if they are an Owner. Deny assignments are visible in the portal under 'Access control (IAM)' > 'Deny assignments' tab.
Inheritance and Scope
Permissions are inherited from higher scopes to lower scopes. For example, if you assign the 'Reader' role to a user at the subscription scope, they automatically have read access to all resource groups and resources within that subscription. If you then assign the 'Contributor' role at a specific resource group, the user will have Contributor permissions on that resource group (since Contributor includes all Reader permissions plus write actions). However, if you assign a role at a lower scope, it does not affect higher scopes. This hierarchical model is crucial for exam questions: always consider the scope when evaluating effective permissions.
Azure RBAC vs. Azure AD Roles
It's easy to confuse RBAC roles with Azure AD roles (like Global Administrator). Azure AD roles grant permissions to manage Azure AD itself (e.g., reset user passwords, manage groups). RBAC roles grant permissions to manage Azure resources (e.g., VMs, storage accounts). They are separate systems, though both use Azure AD identities. A user can be a Global Administrator in Azure AD but have no RBAC permissions, meaning they can manage Azure AD but cannot see any Azure resources. Conversely, a user can be an RBAC Owner of a subscription but have no Azure AD administrative rights. The exam tests this distinction frequently.
Best Practices
Use groups: Assign roles to Azure AD groups rather than individual users. This simplifies management and follows the principle of least privilege.
Use built-in roles when possible: They cover most scenarios and are maintained by Microsoft.
Apply roles at the highest scope needed: To minimize complexity, assign roles at the resource group or subscription scope rather than at the resource level, unless fine-grained control is required.
Use custom roles only when necessary: Custom roles add complexity and must be maintained.
Regularly review role assignments: Use Azure AD Access Reviews to audit permissions.
Enable Privileged Identity Management (PIM): For just-in-time access to privileged roles.
Identify the Security Principal
Determine who needs access. The security principal can be a user (individual person), a group (collection of users), a service principal (identity for applications), or a managed identity (automatically managed identity for Azure services). For exam purposes, know that groups are preferred over individual users for easier management. When you assign a role to a group, all members of that group inherit the permissions. Behind the scenes, Azure AD stores the group membership, and Azure Resource Manager evaluates it during authorization.
Select the Role Definition
Choose the appropriate role that grants the required permissions. Azure provides built-in roles like Owner, Contributor, Reader, and many service-specific roles. For example, if a user needs to manage virtual machines but not storage, assign the 'Virtual Machine Contributor' role. You can also create custom roles if needed. The role definition is a JSON document that lists allowed actions and not actions. For example, the Reader role has 'Microsoft.Resources/*/read' which allows reading all resource types.
Define the Scope
Specify the scope at which the role assignment applies. Scopes are hierarchical: management group (highest), subscription, resource group, or individual resource (lowest). Permissions are inherited downward. For example, if you assign a role at the subscription scope, it applies to all resource groups and resources in that subscription. If you assign at the resource group scope, it applies only to resources in that group. The exam often tests that inheritance: a role at subscription applies to all child resources.
Create the Role Assignment
Combine the security principal, role definition, and scope to create a role assignment. This can be done via the Azure portal (Access control (IAM) > Add > Add role assignment), Azure CLI, PowerShell, or REST API. When the assignment is created, it is stored in Azure Resource Manager. The change takes effect immediately (within a few seconds). There is no limit on the number of role assignments per subscription, but each assignment is a separate object. For exam: remember that role assignments are not inherited across subscriptions; each subscription is a separate scope.
Verify Effective Permissions
After creating the role assignment, verify that the user has the intended access. You can use the 'Check access' feature in the Azure portal under Access control (IAM) to see a user's effective permissions at a given scope. Alternatively, use Azure CLI: `az role assignment list --assignee user@contoso.com --all`. The effective permissions are the union of all role assignments that apply to the user (including group memberships) at the requested scope. Remember that explicit deny assignments override any allows.
Scenario 1: Development Team Access
A software company has a development team that needs to create and manage virtual machines in a shared subscription. The team also needs to view storage accounts but not modify them. The administrator creates an Azure AD group called 'DevTeam' and adds all developers to it. Then, the administrator assigns the 'Virtual Machine Contributor' role to the group at the subscription scope. This gives all developers the ability to create, start, stop, and delete VMs. However, they cannot access storage accounts (except by reading VM disk storage, which is part of VM management). To allow read access to storage, the administrator also assigns the 'Reader' role at the subscription scope. Now developers have both permissions. If a new developer joins, they are simply added to the 'DevTeam' group, and they automatically get the permissions. If a developer leaves, removing them from the group revokes access instantly. This setup is scalable and follows least privilege. Cost is not directly affected by RBAC, but proper RBAC can reduce security incidents and operational overhead.
Scenario 2: Separation of Duties
A financial services company needs to ensure that no single person can approve and deploy changes to production. They create two custom roles: 'Change Approver' (can approve changes but not deploy) and 'Change Deployer' (can deploy but not approve). They assign these roles to different individuals at the resource group scope for the production environment. Additionally, they use Azure Blueprints to apply a deny assignment that prevents any user from deleting the resource group. This ensures compliance with regulatory requirements. If RBAC is set up incorrectly—for example, if the same person is assigned both roles—the separation of duties is broken. The company uses Azure AD Privileged Identity Management (PIM) to require approval for activating privileged roles, adding another layer of security.
Scenario 3: External Consultant Access
A consulting firm is hired to audit an Azure environment. The administrator needs to give the consultants read-only access to all resources in a subscription but must not allow them to see any secrets or keys. The administrator assigns the 'Reader' role to the consultants' Azure AD guest users at the subscription scope. However, the Reader role includes read access to secrets in Key Vault, which is a problem. To restrict this, the administrator creates a custom role that includes all read actions except 'Microsoft.KeyVault/vaults/secrets/read'. This custom role is then assigned to the consultants. The exam tests that custom roles can be used to fine-tune permissions beyond built-in roles. If the administrator mistakenly assigns the built-in Reader role, the consultants could potentially read secrets, leading to a data breach.
Objective Code: Describe the functionality of Azure RBAC (AZ-900 Objective 2.5)
The exam expects you to understand RBAC's purpose, components, and how it differs from Azure AD roles. You should be able to identify the correct role for a given scenario and recognize the scope hierarchy.
Common Wrong Answers and Why Candidates Choose Them
'RBAC is used for authentication.' Candidates confuse RBAC with Azure AD authentication. RBAC is authorization only. The exam will have a distractor that says 'RBAC verifies user identity'—that is wrong.
'The Owner role can manage resources but cannot grant access.' This is false; Owner can delegate access. Candidates think Owner is like Contributor, but Owner includes 'Microsoft.Authorization/roleAssignments/write'.
'Assigning a role at the resource group scope applies to all subscriptions.' Wrong; scopes are hierarchical but do not cross subscription boundaries. A role at resource group scope applies only to that resource group.
'Custom roles are always better than built-in roles.' False; built-in roles cover most scenarios and are easier to manage. Custom roles add complexity.
Specific Terms and Values That Appear on the Exam
Azure AD vs. RBAC: Know that Azure AD is for identity, RBAC for resource access.
Scope hierarchy: Management group > Subscription > Resource group > Resource.
Deny assignments: Explicit deny overrides allow.
Built-in roles: Owner, Contributor, Reader, User Access Administrator.
Security principals: User, group, service principal, managed identity.
Edge Cases and Tricky Distinctions
Inheritance: A role assigned at subscription scope applies to all resource groups and resources in that subscription. But if a role is assigned at resource group scope, it does NOT apply to other resource groups in the same subscription.
Multiple role assignments: If a user has both Reader and Contributor roles at the same scope, they effectively have Contributor permissions (since Contributor includes all Reader permissions).
Deny assignments from Azure Policy or Blueprints: These can override role assignments. For example, a policy that denies VM creation will prevent even an Owner from creating VMs.
RBAC does not apply to data plane operations for some services: For example, accessing blobs in a storage account requires separate authorization (Azure AD or access keys). RBAC can be used to control control plane operations (e.g., create storage account) but not data plane (e.g., read blob). However, for many services like VMs, RBAC controls both.
Memory Trick: 'S-S-S' for Role Assignment
Think of a Role Assignment as having three parts: Security principal (Who), Role (What), and Scope (Where). If you remember 'S-S-S', you can eliminate wrong answers that miss any of these components. For example, an answer that says 'assign the Contributor role to the user' is incomplete because it doesn't specify the scope.
Decision Tree for Eliminating Wrong Answers
Is the question about authentication or authorization? If authentication, it's Azure AD, not RBAC.
Is the question about managing Azure AD itself (users, groups)? That's Azure AD roles, not RBAC.
Is the question about granting access to Azure resources? That's RBAC.
Does the scenario require delegating access management? Use User Access Administrator role.
Does the scenario require full access including delegation? Use Owner.
Does the scenario require read-only? Use Reader.
Does the scenario require creating resources but not managing access? Use Contributor.
Is the scope mentioned? If not, the answer is likely incomplete.
By applying this decision tree, you can quickly narrow down the correct answer.
RBAC is an authorization system that grants permissions to security principals (users, groups, service principals, managed identities) at a specific scope.
The three components of a role assignment are: security principal, role definition, and scope.
Built-in roles include Owner (full access + delegate), Contributor (manage resources), Reader (view only), and User Access Administrator (manage access).
Permissions are inherited from higher scopes (management group, subscription, resource group) to lower scopes (resource).
Deny assignments override allow assignments and are used by Azure Blueprints and managed applications.
RBAC does not control data plane operations for services like Azure Storage blobs; separate authorization is needed.
Azure AD roles manage Azure AD itself, while RBAC manages Azure resources. They are separate systems.
Role assignments take effect immediately (within seconds) and are stored in Azure Resource Manager.
These come up on the exam all the time. Here's how to tell them apart.
Azure RBAC
Controls access to Azure resources (VMs, storage, etc.)
Scoped to management group, subscription, resource group, or resource
Uses built-in roles like Owner, Contributor, Reader
Managed via Access control (IAM) in Azure portal
Does not affect Azure AD directory permissions
Azure AD Roles
Controls access to Azure AD itself (users, groups, etc.)
Scoped to the Azure AD tenant
Uses roles like Global Administrator, User Administrator
Managed via Azure AD > Roles and administrators
Does not affect Azure resource permissions
Mistake
RBAC is used for authentication.
Correct
RBAC is for authorization only. Authentication is handled by Azure AD. RBAC determines what an authenticated user can do.
Mistake
Assigning a role at the resource group scope applies to all subscriptions.
Correct
Roles are scoped to a single subscription. A role at resource group scope applies only within that subscription and resource group.
Mistake
The Contributor role can grant access to other users.
Correct
Contributor can manage resources but cannot assign roles. Only Owner and User Access Administrator can delegate access.
Mistake
Custom roles are always better than built-in roles.
Correct
Built-in roles are maintained by Microsoft and cover most scenarios. Custom roles add complexity and should be used only when built-in roles are insufficient.
Mistake
RBAC permissions are stored on the user's device.
Correct
RBAC permissions are stored in Azure Resource Manager and evaluated at runtime. The user's device only has an authentication token.
Azure RBAC controls access to Azure resources (like VMs, storage accounts, subscriptions) by granting permissions at a specific scope. Azure AD roles control access to Azure AD itself (like managing users, groups, and passwords). They are separate systems: a user can be a Global Administrator in Azure AD but have no RBAC permissions on Azure resources. For the exam, remember: RBAC is for resource management; Azure AD roles are for directory management.
Yes, you can assign roles at the management group scope. Permissions are inherited by all subscriptions and resources under that management group. This is useful for applying consistent access across multiple subscriptions. However, note that management group scope is only available if you have management groups set up. For the exam, know that management group is the highest scope in RBAC.
The effective permissions are the union of both roles. Since Contributor includes all Reader permissions (plus write/delete), the user effectively has Contributor permissions. In RBAC, permissions are additive. However, if there is a deny assignment that denies a specific action, that deny overrides even if a role allows it.
Assign the 'User Access Administrator' role at the appropriate scope. This role allows the user to create, modify, and delete role assignments. Alternatively, the 'Owner' role also includes this ability. For the exam, remember that Contributor cannot manage access; only Owner and User Access Administrator can.
RBAC applies to the control plane (management operations) of most Azure services. However, for some services like Azure Storage Blobs, Azure SQL Database, and Azure Key Vault, RBAC can be used for data plane operations if configured, but traditionally they use separate authorization methods (access keys, SQL authentication). For the exam, know that RBAC is primarily for control plane, and data plane may require additional configuration.
A deny assignment is a role assignment that explicitly denies actions, overriding any allow assignments. Deny assignments are typically created by Azure Blueprints or managed applications. They are used to enforce compliance (e.g., prevent deletion of a resource group). You can view deny assignments in the portal under 'Access control (IAM)' > 'Deny assignments'. For the exam, remember that deny assignments take precedence over role assignments.
Yes, you can define a custom role using JSON with 'Actions' (allowed) and 'NotActions' (excluded from allowed). For example, to create a role that can read everything except Key Vault secrets, you would include 'Microsoft.Resources/*/read' in Actions and 'Microsoft.KeyVault/vaults/secrets/read' in NotActions. Note that NotActions are subtracted from Actions, but explicit deny assignments still override.
You've just covered Role-Based Access Control (RBAC) — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?