Domain 1 of 5 · Chapter 2 of 3

Azure RBAC

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Azure Administrator premium course — no separate purchase.

Included in this chapter:

  • The role assignment model: who, what, and where
  • Built-in roles and how permissions combine
  • Azure RBAC roles vs Microsoft Entra roles
  • Exam-pattern recognition

Azure RBAC roles vs Microsoft Entra roles

DimensionAzure RBAC roleMicrosoft Entra role
Controls access toAzure resources (VMs, storage, networks) via Azure Resource ManagerMicrosoft Entra ID directory (users, groups, domains, app registrations)
Scope levelsManagement group, subscription, resource group, resourceTenant (organization-wide), administrative unit, or single object
Example rolesOwner, Contributor, Reader, User Access AdministratorGlobal Administrator, User Administrator, Billing Administrator
Managed inAccess control (IAM) blade; CLI, PowerShell, ARM, RESTRoles and administrators blade; Entra admin center, Graph
Spans the other plane by defaultNo: an Owner cannot manage directory usersNo: a Global Admin has no Azure resource access until elevated

Decision tree

Directory task? (users,groups, passwords)Microsoft Entra rolenot Azure RBACYesManage the resourcesthemselves?No (Azure resource task)User Access Administratorassign roles, not manageNo, only grant accessNeed to grant othersaccess too?YesMake any changes,or view only?No (manage only)OwnerYesReaderView onlyContributorMake changes

Cheat sheet

  • A role assignment binds a security principal, a role, and a scope
  • Scope is a four-level tree and access is inherited downward
  • Assign at the narrowest scope that does the job
  • Owner is full management plus the right to assign roles
  • Contributor manages everything but cannot assign roles
  • Reader can view resources but change nothing
  • User Access Administrator manages access, not resources
  • Effective permissions are additive: they never subtract
  • Role assignments are transitive through nested groups
  • Deny assignments are created by Azure, not by you
  • Azure RBAC roles control resources; Microsoft Entra roles control the directory
  • By default a Global Administrator has no access to Azure resources
  • User Administrator and User Access Administrator are different roles on different planes
  • A Global Admin regains lost subscription access by elevating access
  • Start with the most restrictive built-in role that fits
  • Assigning a role requires the roleAssignments/write permission
  • Classic subscription administrator roles are fully retired
  • Effective control-plane permission equals Actions minus NotActions
  • Actions cover management; DataActions cover the data inside resources
  • Custom roles need a non-root AssignableScopes, no Id, and the right create/update cmdlet
  • A subscription allows up to 4,000 role assignments, so assign to groups
  • User-assigned identities are shareable; assigning one needs Managed Identity Operator

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. What is Azure role-based access control (Azure RBAC)?
  2. Steps to assign an Azure role
  3. Azure roles, Microsoft Entra roles, and classic subscription administrator roles
  4. Understand scope for Azure RBAC
  5. Azure built-in roles