{"id":40690,"date":"2021-05-14T09:43:05","date_gmt":"2021-05-14T09:43:05","guid":{"rendered":"https:\/\/www.testpreptraining.com\/tutorial\/?page_id=40690"},"modified":"2021-05-14T09:43:07","modified_gmt":"2021-05-14T09:43:07","slug":"azure-role-based-access-control-overview","status":"publish","type":"page","link":"https:\/\/www.testpreptraining.ai\/tutorial\/azure-role-based-access-control-overview\/","title":{"rendered":"Azure role-based access control: Overview"},"content":{"rendered":"\n<p><strong><a href=\"https:\/\/www.testpreptraining.ai\/tutorial\/exam-sc-900-microsoft-security-compliance-and-identity-fundamentals\/\" target=\"_blank\" rel=\"noreferrer noopener\">Go back to Tutorial<\/a><\/strong><\/p>\n\n\n\n<p>In this tutorial, we will get to know about Azure role-based access control (RBAC) and its use.<\/p>\n\n\n\n<p>Access management for cloud resources is a critical function for any organization that is using the cloud. It helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. Moreover, Azure RBAC is an authorization system built on Azure Resource Manager for providing fine access management of Azure resources.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><strong>What can I do with Azure RBAC?<\/strong><\/h5>\n\n\n\n<ul class=\"wp-block-list\"><li>Firstly, you can allow one user to manage virtual machines in a subscription and another user to manage virtual networks<\/li><li>Secondly, you can allow a DBA group for managing SQL databases in a subscription<\/li><li>Thirdly, you can allow a user for managing all resources in a resource group, such as virtual machines, websites, and subnets<\/li><li>Lastly, allow an application to access all resources in a resource group<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Azure RBAC working<\/strong><\/h4>\n\n\n\n<p>The way you control access to resources using Azure RBAC is to assign Azure roles. This is a key concept for understanding the enforcement of permissions. However, a role assignment consists of three elements: <\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><strong>1. Security principal<\/strong><\/h5>\n\n\n\n<p>A security principal is an object that represents a user, group, service principal that is requesting access to Azure resources. Moreover, you can assign a role to any of these security principals.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/docs.microsoft.com\/en-us\/azure\/role-based-access-control\/media\/shared\/rbac-security-principal.png\" alt=\"Diagram showing the security principal types for a role assignment. Azure role-based access control\"\/><figcaption><strong>Image Source: Microsoft<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<h5 class=\"wp-block-heading\"><strong>2. Role definition<\/strong><\/h5>\n\n\n\n<p>A role definition is a collection of permissions. A role definition lists the operations to perform, read, write, and delete. Roles can be high-level, like an owner, or specific, like virtual machine reader.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/docs.microsoft.com\/en-us\/azure\/role-based-access-control\/media\/shared\/rbac-role-definition.png\" alt=\"Diagram showing role definition example for a role assignment\"\/><figcaption><strong>Image Source: Microsoft<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<p>Further, Azure includes several built-in roles that you can use. For example, the Virtual Machine Contributor role allows a user to create and manage virtual machines. If the built-in roles don&#8217;t meet the specific needs of your organization, you can create your own Azure custom roles.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><a href=\"https:\/\/www.testpreptraining.ai\/exam-sc-900-microsoft-security-compliance-identity-fundamentals-free-practice-test\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" src=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2021\/05\/sc-900-tests.png\" alt=\"Practice tests Azure role-based access control\"\/><\/a><\/figure><\/div>\n\n\n\n<h5 class=\"wp-block-heading\"><strong>3. Scope<\/strong><\/h5>\n\n\n\n<p>The scope is the set of resources that the access applies to. When you assign a role, you can further limit the actions allowed by defining a scope. This is helpful if you want to make someone a Website Contributor, but only for one resource group. However, in Azure, you can specify a scope at four levels: <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>management group<\/li><li>subscription<\/li><li>resource group<\/li><li>resource<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/docs.microsoft.com\/en-us\/azure\/role-based-access-control\/media\/shared\/rbac-scope.png\" alt=\"Diagram showing scope levels for a role assignment. Azure role-based access control: Overview\"\/><figcaption><strong>Image Source: Microsoft<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"how-azure-rbac-determines-if-a-user-has-access-to-a-resource\"><strong>How Azure RBAC determines if a user has access to a resource<\/strong><\/h4>\n\n\n\n<p>The following are the high-level steps that Azure RBAC uses to determine if you have access to a resource. These steps apply to Azure Resource Manager or data plane services integrated with Azure RBAC. This is helpful to understand if you are trying to troubleshoot an access issue.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Firstly, a user (or service principal) acquires a token for Azure Resource Manager. The token includes the user&#8217;s group memberships.<\/li><li>Secondly, the user makes a REST API call to Azure Resource Manager with the token attached.<\/li><li>Thirdly, Azure Resource Manager retrieves all the role assignments and denies assignments that apply to the resource upon which the action is being taken.<\/li><li>If a deny assignment applies, it will block access. Otherwise, evaluation continues.<\/li><li>Then, Azure Resource Manager narrows the role assignments that apply to this user or their group and determines what roles the user has for this resource.<\/li><li>After that, Azure Resource Manager determines if the action in the API call is included in the roles the user has for this resource. If the roles include\u00a0Actions\u00a0that have a wildcard (*), the effective permissions are computed by subtracting the\u00a0NotActions\u00a0from the allowed\u00a0Actions. Similarly, the same subtraction is done for any data actions.<ul><li><em>Actions &#8211; NotActions = Effective management permissions<\/em><\/li><li><em>DataActions &#8211; NotDataActions = Effective data permissions<\/em><\/li><\/ul><\/li><li>If the user doesn&#8217;t have a role with the action at the request scope, then, access is not allowed. Otherwise, any conditions are evaluated.<\/li><li>If the role assignment includes conditions, they are evaluated. Otherwise, access is allowed.<\/li><li>If conditions are met, access is allowed. Otherwise, there is no access.<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><a href=\"https:\/\/www.testpreptraining.ai\/exam-sc-900-microsoft-security-compliance-identity-fundamentals-practice-exam\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" src=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2021\/05\/sc-900-course.png\" alt=\"sc-900 online course\"\/><\/a><\/figure><\/div>\n\n\n\n<p><strong>Reference:<\/strong> <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/role-based-access-control\/overview\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Documentation<\/a><\/p>\n\n\n\n<p><strong><a href=\"https:\/\/www.testpreptraining.ai\/tutorial\/exam-sc-900-microsoft-security-compliance-and-identity-fundamentals\/\" target=\"_blank\" rel=\"noreferrer noopener\">Go back to Tutorial<\/a><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Go back to Tutorial In this tutorial, we will get to know about Azure role-based access control (RBAC) and its use. Access management for cloud resources is a critical function for any organization that is using the cloud. It helps you manage who has access to Azure resources, what they can do with those resources,&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"categories":[],"tags":[],"class_list":["post-40690","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Azure role-based access control: Overview - Testprep Training Tutorials<\/title>\n<meta name=\"description\" content=\"Upgrade your knowledge by learning and understanding Azure role-based access control. Prepare and pass the Microsoft SC-900 Exam Now!\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.testpreptraining.ai\/tutorial\/azure-role-based-access-control-overview\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Azure role-based access control: Overview - Testprep Training Tutorials\" \/>\n<meta property=\"og:description\" content=\"Upgrade your knowledge by learning and understanding Azure role-based access control. Prepare and pass the Microsoft SC-900 Exam Now!\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.testpreptraining.ai\/tutorial\/azure-role-based-access-control-overview\/\" \/>\n<meta property=\"og:site_name\" content=\"Testprep Training Tutorials\" \/>\n<meta property=\"article:modified_time\" content=\"2021-05-14T09:43:07+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/docs.microsoft.com\/en-us\/azure\/role-based-access-control\/media\/shared\/rbac-security-principal.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/azure-role-based-access-control-overview\/\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/azure-role-based-access-control-overview\/\",\"name\":\"Azure role-based access control: Overview - Testprep Training Tutorials\",\"isPartOf\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#website\"},\"datePublished\":\"2021-05-14T09:43:05+00:00\",\"dateModified\":\"2021-05-14T09:43:07+00:00\",\"description\":\"Upgrade your knowledge by learning and understanding Azure role-based access control. Prepare and pass the Microsoft SC-900 Exam Now!\",\"breadcrumb\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/azure-role-based-access-control-overview\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.testpreptraining.ai\/tutorial\/azure-role-based-access-control-overview\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/azure-role-based-access-control-overview\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Azure role-based access control: Overview\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#website\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\",\"name\":\"Testprep Training Tutorials\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.testpreptraining.ai\/tutorial\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#organization\",\"name\":\"Testprep Training\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png\",\"contentUrl\":\"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png\",\"width\":583,\"height\":153,\"caption\":\"Testprep Training\"},\"image\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Azure role-based access control: Overview - Testprep Training Tutorials","description":"Upgrade your knowledge by learning and understanding Azure role-based access control. Prepare and pass the Microsoft SC-900 Exam Now!","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.testpreptraining.ai\/tutorial\/azure-role-based-access-control-overview\/","og_locale":"en_US","og_type":"article","og_title":"Azure role-based access control: Overview - Testprep Training Tutorials","og_description":"Upgrade your knowledge by learning and understanding Azure role-based access control. Prepare and pass the Microsoft SC-900 Exam Now!","og_url":"https:\/\/www.testpreptraining.ai\/tutorial\/azure-role-based-access-control-overview\/","og_site_name":"Testprep Training Tutorials","article_modified_time":"2021-05-14T09:43:07+00:00","og_image":[{"url":"https:\/\/docs.microsoft.com\/en-us\/azure\/role-based-access-control\/media\/shared\/rbac-security-principal.png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/azure-role-based-access-control-overview\/","url":"https:\/\/www.testpreptraining.ai\/tutorial\/azure-role-based-access-control-overview\/","name":"Azure role-based access control: Overview - Testprep Training Tutorials","isPartOf":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#website"},"datePublished":"2021-05-14T09:43:05+00:00","dateModified":"2021-05-14T09:43:07+00:00","description":"Upgrade your knowledge by learning and understanding Azure role-based access control. Prepare and pass the Microsoft SC-900 Exam Now!","breadcrumb":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/azure-role-based-access-control-overview\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.testpreptraining.ai\/tutorial\/azure-role-based-access-control-overview\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/azure-role-based-access-control-overview\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.testpreptraining.ai\/tutorial\/"},{"@type":"ListItem","position":2,"name":"Azure role-based access control: Overview"}]},{"@type":"WebSite","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#website","url":"https:\/\/www.testpreptraining.ai\/tutorial\/","name":"Testprep Training Tutorials","description":"","publisher":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.testpreptraining.ai\/tutorial\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#organization","name":"Testprep Training","url":"https:\/\/www.testpreptraining.ai\/tutorial\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/","url":"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png","contentUrl":"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png","width":583,"height":153,"caption":"Testprep Training"},"image":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/40690","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/comments?post=40690"}],"version-history":[{"count":5,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/40690\/revisions"}],"predecessor-version":[{"id":40814,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/40690\/revisions\/40814"}],"wp:attachment":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/media?parent=40690"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/categories?post=40690"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/tags?post=40690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}