Azure Role-Based Access Control (RBAC)
Azure RBACThe authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources by binding a security principal to a role definition at a specific scope. grants access by creating a role assignment, which has three components:
- Security principal — who gets access (user, group, service principal, or managed identity)
- Role definition — what they can do (a collection of allowed actions)
- Scope — what resources the permissions apply to
Fundamental Built-In Roles
| Role | Create/Manage Resources | Assign Roles | Delete Resources | Notes |
|---|---|---|---|---|
| Owner | Yes | Yes | Yes | Full control including RBAC management |
| Contributor | Yes | No | Yes | Full resource management, no RBAC access |
| Reader | No (read-only) | No | No | View all resources, no changes |
| User Access Administrator | No | Yes | No | Manage user access only, not resources |
| Role Based Access Control Administrator | No | Yes | No | Manage RBAC only |
Key distinction: Owner = Contributor + ability to assign roles. User Access AdministratorA built-in Azure role that can assign any Azure RBAC role to any principal, but cannot create or manage Azure resources itself. can assign roles but cannot create or manage Azure resources. Contributor can do everything with resources except manage role assignments.
RBAC Scope Hierarchy
Scopes are structured in a parent-child relationship. Permissions assigned at a higher scope are inherited by all child scopes:
Management Group
└── Subscription
└── Resource Group
└── Resource
A role assigned at the management group scope applies to all subscriptions, resource groups, and resources within that management group. This inheritance is additive — you can stack multiple role assignments and the most permissive combination applies.
Deny Assignments
Deny assignmentsExplicit blocks on specific actions that override any allow from a role assignment — used primarily by Azure Blueprints and Azure managed applications. Deny assignments take precedence over role assignments. explicitly block specific actions and take precedence over role assignments. Azure RBAC is additive by default — permissions accumulate. However, deny assignments override any allow from a role assignment.
Viewing and Assigning Roles in the Portal
Role assignments are managed through the Access control (IAM) blade, available at every scope level: management groups, subscriptions, resource groups, and individual resources. The Check access tab lets you verify what a given identity can do at that scope.
Role Assignment Scope Interaction
RBAC is additive — a role assignment at a child scope adds to inherited permissions from the parent; it does not replace or override them.
Example: A user assigned Reader at subscription scope and Contributor at one resource group within that subscription effectively has Contributor access inside that resource group and Reader access everywhere else in the subscription.
Exam Trap
Contributor cannot assign roles. Role assignment requires Owner, User Access Administrator, or Role Based Access Control Administrator. This is the most commonly tested distinction in AZ-104.
Scope Level Details
| Scope | How to access IAM |
|---|---|
| Management Group | Azure portal → Management groups → select group → IAM |
| Subscription | Azure portal → Subscriptions → select subscription → IAM |
| Resource Group | Azure portal → Resource groups → select group → IAM |
| Resource | Navigate to any resource → IAM |
Azure RBAC vs. Entra ID Roles
Must Memorize
Azure RBAC applies to Azure resources (control plane via Resource Manager). Managing Entra ID settings requires separate Entra ID roles (e.g., Global Administrator, User Administrator). The Contributor role at a subscription does NOT grant access to Entra ID.
Deny Assignments vs. Role Assignments
| Feature | Role Assignment | Deny Assignment |
|---|---|---|
| Who creates | Admins | Azure Blueprints / managed apps |
| Effect | Adds permissions | Blocks specific actions |
| Priority | Lower | Higher (overrides allows) |
| Deletable | Yes | Only if not system-managed |
Assign a Role at Subscription Scope
- Azure portal → Subscriptions → select your subscription
- Click Access control (IAM) in the left menu
- Click + Add → Add role assignment
- Select the Role (e.g., Contributor) → Next
- Under Members, click + Select members, search for and select the user or group → Select
- Click Review + assign → Review + assign
Assign a Role at Resource Group Scope
- Azure portal → Resource groups → select the target resource group
- Click Access control (IAM) → + Add → Add role assignment
- Select the role, select the member, review, and assign
Check Effective Access
- Navigate to the scope (subscription, resource group, or resource)
- Click Access control (IAM) → Check access tab
- Search for a user, group, service principal, or managed identity
- Review the current role assignments and their effective scope
View All Role Assignments at a Scope
- Navigate to the desired scope
- Click Access control (IAM) → Role assignments tab
- Filter by role, principal type, or scope to narrow results
Assign a Role at Management Group Scope
- Azure portal → search Management groups → select the target management group
- Click Access control (IAM) → + Add → Add role assignment
- Assign the role and principal as above; the assignment cascades to all child subscriptions
AZ-104 Exam Focus
Exam Trap
"A Contributor can grant other users access to resources." → Contributors cannot assign roles. Role assignment requires Owner or User Access Administrator (or Role Based Access Control Administrator). This is the most commonly tested distinction.
Exam Trap
"Assigning Reader at the subscription scope lets a user read only the subscription metadata." → Reader at the subscription scope grants read access to all resources within that subscription, including all resource groups and individual resources, via inheritance.
Exam Trap
"User Access Administrator can create virtual machines." → User Access Administrator can only manage role assignments. It has no permissions to create, read, or manage Azure resources.
Exam Trap
"Role assignments at a resource group override inherited roles from the subscription." → RBAC is additive. A role assignment at the resource group adds to inherited permissions; it does not replace them.
Exam Trap
"The Contributor role at a subscription grants access to manage Azure AD/Entra ID." → Azure RBAC applies to Azure resources only. Managing Entra ID settings requires separate Entra ID roles.
Exam Tip
When an exam question asks about blocking access despite an existing role assignment, the answer is almost always a deny assignment — which overrides any allow permission regardless of role.
Question — click to flip
Q: Which built-in role can assign Azure RBAC roles but cannot create or manage Azure resources?
Question — click to flip
Q: What are the three components of an Azure role assignment?
Question — click to flip
Q: How does Azure RBAC handle multiple role assignments at different scopes?
Question — click to flip
Q: Which role equals Contributor plus the ability to assign roles?
Question — click to flip
Q: Where in the Azure portal do you manage role assignments for a specific resource group?
Question — click to flip
Q: What takes precedence in Azure RBAC: a role assignment or a deny assignment?