AZ-104 Microsoft Azure Administrator Exam

Manage built-in Azure roles

Built-in roles are pre-defined permissions sets in Azure that support the role-based access control (RBAC) model. These roles make it easy to grant common sets of permissions without building them from scratch. Understanding built-in roles helps you quickly apply security best practices across your Azure environment.

There are several key built-in roles you will use frequently:

• Owner: Full access, including the right to delegate access to others.
• Contributor: Can create and manage all types of Azure resources but can’t grant access.
• Reader: Read-only access to view resources without making any changes.

You can view and explore these roles in the Azure portal under Access control (IAM), or by using the Azure CLI and PowerShell. For example, az role definition list in the CLI returns all built-in roles and their permissions. Regularly reviewing built-in roles ensures you assign the right level of privilege.

While built-in roles meet most needs, they do have limits. You cannot modify the list of permissions in a built-in role. If your organization requires a tailored set of permissions, you must create a custom role.

Use built-in roles for standard scenarios where granular control is not required. They simplify governance by providing consistent and well-tested permission sets.

Assign roles at different scopes

In Azure RBAC, a scope defines the boundary where access assignments take effect. Scopes range from broad to narrow, letting you apply permissions exactly where they are needed. Choosing the correct scope helps enforce the principle of least privilege.

Subscription scope is the broadest level. An assignment here applies to all resources, resource groups, and sub-resources within that subscription. Use this when an individual or group needs wide-ranging access across an entire subscription.

Resource group scope applies to all resources contained in that group. It is ideal for teams managing a specific project or environment. By assigning roles at this level, you avoid granting unnecessary permissions to resources outside the project.

Resource scope is the most granular. Assigning a role to a single resource, such as a storage account or virtual machine, limits access only to that item. This scope is perfect for highly sensitive resources or when tight control is needed.

By carefully selecting among subscription, resource group, and resource scopes, you can maintain tighter security and ensure users only have access where it’s required.

Interpret access assignments

Access assignments in Azure RBAC link a principal (user, group, or service principal) to a role at a specified scope. These assignments determine what actions the principal can perform on Azure resources. Interpreting these assignments is critical for troubleshooting and compliance.

Azure evaluates all assignments from broadest to narrowest scope. If a user has a Reader role at the subscription and a Contributor role at a resource group, they effectively have Contributor access within that group. This inheritance model simplifies management but can obscure effective permissions if many assignments exist.

To view effective permissions, use the Access control (IAM) pane in the Azure portal or run commands like:

• az role assignment list --assignee <principal>
• Get-AzRoleAssignment -ObjectId <principalId> in PowerShell.
  These tools show all role assignments and their scopes, helping you verify what each principal can actually do.

Azure also supports time-bound role assignments and Deny assignments, adding more nuance to access evaluation. Be aware that Deny assignments take precedence over Allow assignments and can override inherited permissions.

Regularly auditing and interpreting access assignments ensures strong security posture and helps you quickly spot misconfigurations before they lead to unauthorized access.

Conclusion

In this section, we covered the essentials of managing access to Azure resources through RBAC. We explored how built-in roles provide standardized permission sets, the importance of assigning roles at the appropriate scopes, and techniques to interpret access assignments for effective governance and troubleshooting. By mastering these concepts, you can enforce the principle of least privilege, maintain a clear security boundary, and ensure that every principal has the correct level of access.