Active Directory FundamentalsActive Directory PoliciesUncategorized

Role-based access control (RBAC) in Azure

December 19, 2025

Azure RBAC is the authorization system used to control who can do what across Azure resources. It is designed to keep access granular, auditable, and aligned to real operational responsibilities—without turning permissions into a messy pile of one-off exceptions.

In practice, Azure RBAC works best when it is treated as an operating model, not a one-time configuration task: define roles clearly, assign them to groups (not individuals), scope them carefully, and continuously review what was granted versus what is actually needed.

Azure RBAC vs Microsoft Entra roles (and why people confuse them)

Azure has multiple “role” systems, and mixing them up is a common source of over-privilege:

  • Azure RBAC: Controls access to Azure resource management (subscriptions, resource groups, resources) via Azure Resource Manager (ARM).
  • Microsoft Entra ID roles (formerly Azure AD roles): Controls access to identity and directory administration (users, groups, app registrations, Conditional Access, etc.).
  • Application roles: Defined inside an app and enforced by that application (often via tokens/claims), not by Azure ARM.

A clean design keeps these separate: Azure RBAC for Azure resources, Entra roles for directory administration, and app roles for app-level authorization.

Related reading: Role-based access control in Microsoft Entra

The Azure RBAC mental model

Azure RBAC is built around a simple role assignment model: a security principal is granted a role definition at a defined scope. That assignment determines allowed actions.

  • Security principal: User, group, service principal (app), or managed identity.
  • Role definition: A set of allowed actions (built-in or custom).
  • Scope: Where the role applies (management group, subscription, resource group, or a specific resource).

Related reading: How access management works in Azure AD

Scopes: where access “lands” (and how inheritance works)

Scope is the most powerful lever in Azure RBAC. Assigning the right role at the wrong scope is how “least privilege” quietly turns into “everyone is Owner.”

  • Management group: Applies across many subscriptions (best for centralized platform governance).
  • Subscription: Broad access across a billing and resource boundary.
  • Resource group: Common operational boundary (teams often own RGs).
  • Resource: Most granular; best for sensitive resources (Key Vault, specific Storage account, critical VM, etc.).

RBAC assignments inherit downward. For example, a Reader at subscription scope can read everything in all resource groups and resources inside that subscription.

Built-in roles: start here, but avoid “Owner by default”

Azure includes many built-in roles. The most frequently used (and misused) include:

  • Owner: Full control, including granting access. Use sparingly.
  • Contributor: Can manage resources but cannot grant access.
  • Reader: Read-only.
  • User Access Administrator: Can manage access (role assignments), but not necessarily resources.

Service-specific roles (for example, data-plane roles like “Storage Blob Data Contributor”) are often safer than broad Contributor when a team only needs to operate within one service.

Custom roles: when built-in roles are too broad

Custom roles are justified when:

  • A team needs a subset of Contributor permissions.
  • Operational tasks are well-defined (for example: “restart VMs and read diagnostics, but cannot delete”).
  • Compliance requires strict separation of duties (for example: networking vs compute vs security administration).

Custom roles should be treated like code: versioned, reviewed, tested in non-prod, and documented.

Group-based RBAC: the “golden path” for human access

Assigning roles to individuals does not scale. The recommended operational pattern is:

  1. Create a group per role + scope boundary (for example, AZ-SUB1-RG-APP1-Contributor).
  2. Assign the Azure role to the group at the correct scope.
  3. Manage membership separately (join/leave = access change).

This keeps access changes auditable and makes offboarding reliable.

Related reading: How groups work in Azure AD

Privileged access: pair RBAC with just-in-time elevation

Permanent high-privilege assignments (Owner, User Access Administrator, Entra Global Administrator, etc.) are where incidents are born. A stronger model is:

  • Keep day-to-day roles low (Reader/Contributor or service-specific contributor roles).
  • Use just-in-time elevation for privileged roles, with approval and MFA.
  • Time-box the elevation and log it.

Related reading: Azure AD PIM: How to manage privileged access to resources

Operational blueprint: a practical RBAC design workflow

  1. Inventory resources and owners: subscriptions, resource groups, key services (Key Vault, Storage, AKS, SQL, etc.).
  2. Define job functions: platform team, app team, network team, security team, auditors, contractors.
  3. Map functions to least-privilege roles: prefer built-in roles first, then custom roles if needed.
  4. Choose scope boundaries: avoid subscription-wide assignments unless required by the role.
  5. Implement group-based assignments: role-to-group, group-to-people.
  6. Add privileged controls: PIM/JIT for high privilege; break-glass accounts for emergencies.
  7. Audit and review: role assignment reviews, activity logging, and periodic recertification.

Implementation examples

Example 1: Grant a team Contributor on a single resource group

Goal: App team can manage only rg-app1-prod without touching the rest of the subscription.

  • Create a group: AZ-rg-app1-prod-Contributor
  • Assign role: Contributor
  • Scope: resource group rg-app1-prod

Example 2: Separate control-plane and data-plane access

Goal: A team can upload/download blobs but cannot change the storage account configuration.

  • Use a data-plane role (for example: Storage Blob Data Contributor).
  • Avoid broad Contributor on the storage account unless configuration changes are required.

Example 3: Delegating access management without full ownership

Goal: A small platform admin group manages RBAC assignments, while service owners manage resources.

  • Platform group gets User Access Administrator at subscription scope (or narrower if possible).
  • Service owner groups get Contributor at their resource group scopes.
  • Owner is reserved for break-glass or minimal central governance roles.

Auditing and troubleshooting RBAC

When access “should work” but doesn’t, focus on these checks:

  • Scope mismatch: Role assigned at the wrong resource group/subscription.
  • Wrong principal: User expects access but assignment is on a different group (or the wrong tenant/account).
  • Role mismatch: Contributor vs service-specific roles; control-plane vs data-plane confusion.
  • Inheritance surprises: A broad assignment at subscription scope grants more than intended.
  • Privileged workflows: PIM not activated, approval pending, or elevation expired.

Governance: keeping RBAC clean over time

RBAC entropy is real: over time, roles accumulate, scopes expand, and exceptions become “permanent.” Strong governance prevents that:

  • Run regular access reviews and recertification cycles.
  • Require ticket/justification for role assignment changes.
  • Use logging to detect “role creep” and suspicious assignments.
  • Use CIEM-style visibility to detect excessive permissions across cloud environments.

Related reading: Entra Permissions Management Onboarding Guide

Common RBAC mistakes to avoid

  • Assigning Owner widely: Creates uncontrolled privilege escalation pathways.
  • Assigning roles to users instead of groups: Breaks lifecycle controls and offboarding reliability.
  • Using subscription scope by default: Makes least privilege nearly impossible.
  • Ignoring service principals and managed identities: App identities often become the most over-privileged principals.
  • No review process: RBAC without review turns into long-term accidental access.

Quick checklist

  • Roles assigned to groups, not individual users
  • Scope set as narrow as practical
  • Privileged roles are just-in-time where possible
  • Custom roles are documented and reviewed
  • Access is audited and recertified regularly

Conclusion

Azure RBAC is simple in concept but powerful in outcomes: it can either become a clean, scalable access model—or a silent risk amplifier—depending on how it is implemented. The most reliable approach is consistent: group-based assignments, minimal scopes, carefully chosen roles, and continuous governance backed by auditing and time-bound privilege elevation.

Related posts
Active Directory Fundamentals

Migrating from AD FS to Azure AD SSO

December 19, 2025
Active Directory Fundamentals

Federation strategies using Entra

December 19, 2025
Active Directory Fundamentals

Tracking privilege escalation in Azure AD

December 19, 2025
Active Directory Fundamentals

Zero Trust architecture with Entra at the core

December 19, 2025
×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.