2.2.1. Azure Built-in and Custom Roles
đź’ˇ First Principle: Azure Role-Based Access Control (RBAC) implements authorization through role assignments. A role is a collection of permissions; assigning a role to an identity grants those permissions at a specific scope.
Scenario: Your development team needs to deploy virtual machines but shouldn't be able to modify networking or access production resources. You need granular control over what actions they can perform.
RBAC Components
- Security Principal: Who needs access (user, group, service principal, managed identity)
- Role Definition: What permissions are granted (collection of actions)
- Scope: Where the permissions apply (management group, subscription, resource group, resource)
Built-in Roles
| Role | Description | Common Use Case |
|---|---|---|
| Owner | Full access + can delegate | Subscription administrators |
| Contributor | Full access, cannot delegate | DevOps teams |
| Reader | View only | Auditors, stakeholders |
| User Access Administrator | Manage user access only | Security team |
| Resource Policy Contributor | Create/modify policies, create support tickets | Governance teams |
Custom Roles
- When to Use: Built-in roles don't match your requirements
- Structure: Actions (permitted), NotActions (excluded), DataActions (data plane), NotDataActions
- Scope: Can be limited to specific subscriptions
Example Custom Role JSON:
{
"Name": "Virtual Machine Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.",
"Actions": [
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Network/*/read",
"Microsoft.Storage/*/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/*"]
}
⚠️ Exam Trap: Forgetting that custom roles require read permissions on resources to interact with them. The Virtual Machine Operator role above needs Microsoft.Compute/*/read to restart VMs—without read access, the restart action will fail.
Visual: RBAC Assignment Model
Microsoft Entra Roles vs. Azure RBAC Roles
| Aspect | Microsoft Entra Roles | Azure RBAC Roles |
|---|---|---|
| Scope | Microsoft Entra ID tenant | Azure resources |
| Purpose | Manage Entra ID (users, groups, apps) | Manage Azure resources |
| Example | Global Administrator, Application Administrator | Owner, Contributor, Reader |
| Assignment Location | Microsoft Entra admin center | Azure portal (IAM) |
⚠️ Exam Trap: Confusing Microsoft Entra roles with Azure RBAC roles. A Compliance Administrator is a Microsoft Entra role (manages Entra ID compliance features), not an Azure RBAC role. It cannot manage Azure resource policies.
