Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.1.2.3. Assign Roles to Users, Groups, and Applications

šŸ’” First Principle: Azure RBAC fundamentally controls access by binding a role definition (what can be done) to a security principal (who can do it) at a specific scope (where it can be done), thereby enforcing the principle of least privilege.

Scenario: You need to grant a new application the ability to read data from a specific Storage Account, but nothing else. Separately, a team of developers needs to create and manage Virtual Machines within a particular resource group.

What It Is: Role assignment is the process of attaching a role definition (e.g., Reader, Contributor) to a security principal (who) at a specific scope (where).

Security Principals that can be assigned roles:
  • Users: Individual Entra ID accounts for people. Use for specific individuals when group assignment isn't practical.
  • Groups: Entra ID security groups, ideal for managing access for multiple users efficiently. Assigning roles to groups simplifies administration and scales well.
  • Service Principals (Applications): Identities for applications or automated tools needing resource access. These are used for programmatic access.
How to Assign a Role (Azure Portal):
  1. Go to the resource, resource group, subscription, or management group.
  2. Select Access control (IAM). 3 Click Add > Add role assignment.
  3. Choose the role (e.g., Reader, Contributor, or a custom role).
  4. Select the user, group, or service principal.
  5. Review and assign.

Scope Matters: Always assign roles at the smallest scope needed (resource > resource group > subscription > management group). This enforces the principle of least privilege, reducing unnecessary access and security risk.

āš ļø Common Pitfall: Assigning roles directly to individual users instead of groups. This is difficult to manage and audit as the number of users grows.

Key Trade-Offs:
  • Direct Assignment vs. Group Assignment: Direct assignment is quick for one-off cases but creates long-term management debt. Group assignment requires more initial setup but is far more scalable and maintainable.

Reflection Question: How does assigning roles to security principals at the smallest scope needed fundamentally enforce the principle of least privilege and streamline access management for users, groups, and applications?