When it comes to planning your authentication and authorization strategy in Azure, it is useful to know what you can do with Azure RBAC roles.
Azure RBAC is an authorization fabric built on Azure Resource Manager. It is useful for defining fine-grained access privileges for accessing resources in Azure.
The key concepts of Azure RBAC are as follows:
- Security principal: This can be a user, a group, a service principal or a managed identity
- Role or Role definition: This is a set of permissions that apply to a specific resource. For example, a role that grants read-only privileges in Azure Key Vault
- Scope: A scope is the set of resources that a given access applies to. You can specify a scope at 4 levels: management group level, a subscription level, a resource group level, or at the resource level
- Role assignment: This is simply “assigning” or configuring the relationship between a security principal and a role definition. A security principal can have one or more role assignments, with each role assigned to a particular scope
- Groups: Where possible, it is best practice to assign roles to groups of security principals that require the same level of permissions instead of assign roles to individual security principals
- Deny assignments: These are similar to role assignment, but rather than grant permissions, they deny permissions to a group or security principal. Note that deny assigments are given priority over role assignments
References
- https://learn.microsoft.com/en-us/azure/role-based-access-control/scope-overview
- Exam Ref AZ-305 Designing Microsoft Azure Infrastructure Solutions