Azure Role-Based Access Control (RBAC) is the foundation of security in Azure. It allows you to finely manage who can do what across your Azure environment—whether for individuals, service principals, or applications.
What is RBAC?
RBAC answers three essential questions when granting access:
- Who? This is the Security Principal. It could be a user, group, service principal, or managed identity.
- What? This is the Scope—the boundary where access applies. It could be:
- A management group
- An Azure subscription
- A resource group
- Or an individual resource
- How much? This is the Role Definition, often just called the role. It determines the level of access:
- Owner – Full access to everything, including managing access permissions.
- Contributor – Can create and manage resources, but cannot assign roles.
- Reader – Can view existing resources only.
- User Access Administrator – Can manage user access but not the resources themselves.
RBAC ensures that only authorized individuals or services can access the right resources, at the right level.
Custom Control and Security
With RBAC, you can:
- Assign roles that grant only the permissions needed.
- Use Deny assignments to explicitly prevent certain actions (e.g. creating resource groups).
- Improve security and reduce risk by applying the principle of least privilege.
RBAC is tightly integrated with Microsoft Entra ID and supports both authorization and Entra ID Conditional Access scenarios.
Important Considerations
If a subscription is moved to another Microsoft Entra ID tenant, all RBAC role assignments are deleted. This can disrupt access and services, so such a move requires careful planning.
Learn about RBAC, Azure AD roles, identity protection and more in our AZ-900 video course for guided lessons and practical examples – or click here to go back to the AZ-900 list of requirements.
Please click here to find out more about Microsoft’s AZ-900 exam.
