AZ-104 Microsoft Azure Administrator Exam

Define and Apply RBAC Roles at Various Scopes

Role-Based Access Control (RBAC) in Azure is an important system designed to manage access to resources by assigning roles to users, groups, service principals, or managed identities. This system helps ensure that the right people have the right access to Azure resources at all times. RBAC roles are assigned across various scopes to provide effective access management.

Understanding Scopes

A scope in Azure defines the set of resources that access permissions apply to. These scopes are organized in a hierarchy from broadest to most specific:

• Management Groups: They are at the top level and can contain multiple subscriptions, effectively allowing you to manage policies, budgets, and compliance across different subscriptions.
• Subscriptions: These act as containers for Azure services, serving as organizational boundaries where you can keep track of billing and services.
• Resource Groups: These provide logical grouping for related resources, which can make managing and deploying Azure resources easier.
• Resources: These refer to individual Azure services like virtual machines, databases, etc.

Assigning Roles

To assign RBAC roles, you need specific permissions like Microsoft.Authorization/roleAssignments/write. Here's how you can assign roles:

1. Sign in to the Azure portal and locate the specific scope you wish to manage.
2. Find the desired scope—this can be at the management group, subscription, resource group, or resource level.
3. Select the resource you're targeting and navigate to Access control (IAM).
4. Add a role assignment, selecting the necessary role and associating it with the user, group, or service principal.

Role Assignments

A role assignment attaches a role definition to a security principal at a given scope. This gives the security principal access to resources within that scope. Some examples include:

• Contributor Role: Gives users permission to create and manage resources within a resource group.
• Reader Role: Allows users to look at resources without making modifications.

Multiple Role Assignments

RBAC in Azure is cumulative, meaning if a user is given multiple roles that overlap, their effective permissions are the total of those roles. For example, if given a Contributor role at the subscription level and a Reader role within a resource group, their permissions would default to Contributor across that subscription.

Evaluating Access

The evaluation of access in Azure RBAC involves several steps:

1. Token acquisition: Users obtain a token reflecting their group memberships.
2. API call: Users make REST API calls using the token they received.
3. Role and deny assignments retrieval: Azure Resource Manager retrieves relevant role assignments and deny assignments.
4. Permission evaluation: Determines if users have the permissions needed for their requested actions.

Best Practices

To ensure secure access management practices:

• Grant least privilege: Offer only permissions needed for users to perform their tasks.
• Use groups: Assign roles based on groups rather than individuals to simplify access management.
• Limit privileged roles: Restrict high-level access roles like Owner or Contributor to minimize risk.

By applying RBAC roles thoughtfully and methodically across various scopes, you help secure Azure resources effectively, balancing accessibility with security concerns.