0
0
AzureHow-ToBeginner · 4 min read

How to Use RBAC in Azure: Simple Guide to Role-Based Access Control

In Azure, use Role-Based Access Control (RBAC) to assign roles to users, groups, or service principals to manage access to resources. You create role assignments that specify who can do what at a specific scope like a subscription or resource group.
📐

Syntax

RBAC in Azure uses role assignments with three main parts:

  • Principal: The user, group, or app to grant access.
  • Role: The set of permissions (like Reader, Contributor).
  • Scope: The resource level where access applies (subscription, resource group, or resource).

The Azure CLI command to create a role assignment is:

bash
az role assignment create --assignee <principal> --role <role> --scope <scope>
💻

Example

This example assigns the built-in Reader role to a user at the resource group level. It allows the user to view resources but not change them.

bash
az role assignment create --assignee user@example.com --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup
Output
{ "canDelegate": null, "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111", "name": "11111111-1111-1111-1111-111111111111", "principalId": "22222222-2222-2222-2222-222222222222", "principalType": "User", "roleDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup", "type": "Microsoft.Authorization/roleAssignments" }
⚠️

Common Pitfalls

Common mistakes when using RBAC in Azure include:

  • Assigning roles at too broad a scope, giving more access than needed.
  • Using incorrect principal identifiers (email vs object ID).
  • Not waiting for role assignment propagation before testing access.
  • Confusing built-in roles with custom roles.

Example of a wrong command missing scope:

bash
az role assignment create --assignee user@example.com --role Reader

# Correct command includes --scope:
az role assignment create --assignee user@example.com --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup
📊

Quick Reference

TermDescription
PrincipalUser, group, or app to assign access
RoleSet of permissions like Reader, Contributor, Owner
ScopeResource level: subscription, resource group, or resource
Role AssignmentBinding of principal, role, and scope
Built-in RolesPredefined roles by Azure for common access needs

Key Takeaways

RBAC controls access by assigning roles to principals at specific scopes.
Always specify the correct scope to limit access to only needed resources.
Use Azure CLI or portal to create role assignments with principal, role, and scope.
Check role assignment propagation before testing access permissions.
Avoid overly broad roles to follow the principle of least privilege.

Related by keyword

How to Use Shared Access Signature in Azure: Simple GuideBlob StorageHow to Fix Storage Access Error in Azure: Simple StepsCommon ErrorsHow to Use Azure Portal: Simple Guide for BeginnersGetting StartedHow to Choose VM Size in Azure: A Simple GuideVirtual MachinesHow to Use Azure Function with C# - Simple GuideAzure Functions

Up next

What is Azure Used For: Key Uses and ExamplesWhat is Microsoft Azure: Overview and Use CasesHow to Attach a Disk to an Azure VM: Step-by-Step GuideHow to Connect to Azure VM: Simple Steps for Beginners

More in Azure AD and Identity

Azure AD B2B vs B2C: Key Differences and When to Use EachHow to Assign Role in Azure: Step-by-Step GuideHow to Create a Group in Azure AD Quickly and EasilyHow to Create a Service Principal in Azure: Step-by-Step Guide