Role based access control (RBAC)

Start course


This course covers the Secure Resources part of the 70-534 exam, which is worth 20-25% of the exam. The intent of the course is to help fill in an knowledge gaps that you might have, and help to prepare you for the exam.


Welcome back. In this lesson, we're going to be talking about RBAC or Role Based Access Control. Let's start by talking about what Role Based Access Control is.

The general idea behind RBAC is that we can grant permissions to a role, and then we can assign roles to users and what this does is provide an easy method for managing permissions because we don't need to assign permissions directly to a user.

As an example, a role of admin may have full permissions whereas a role of view only would only be able to view resources. And when a user needs new permissions, they can be added to a role that fits the needs and if they no longer require those permissions, we can remove them from that role.

So how does this relate to Azure? Azure allows us to manage where a role is assigned and there are three locations, at the subscription level, at a resource group level or on a resource directly.

Now the the resource tells us that this is all handled from the new portal or from PowerShell, the command line interface or the REST API since the classic portal is about services and the new portal is all about resources.

Azure gives us a set of common built-in roles that we can use. The list is fairly long so I'm not gonna read through it. However, you can find it at

Now for a lot of companies, especially smaller ones, the built-in roles are gonna work fine. However, Azure allows us to create our own custom roles as well. For custom roles, you'll need to use PowerShell or if you prefer, again you can use the command line interface or the REST API. Those both work as well.

And custom roles are specified as a JSON template. They can contain the allowed actions as well as the actions that aren't allowed. Now this provides for a fairly granular control over securing resources in a very simple way.

Let's look at how to actually use these roles. First, I'm gonna fire up a new VM. We're gonna create a Windows Server 2012 R2 datacenter VM. This should be second nature to you by now.

The part that's noteworthy is that we're gonna create a new resource group and we're gonna call it rbac-demo and the reason that this is important is because we're going to be assigning a role to this group later and then adding a user to that.

Let's jump ahead to when this is actually complete...okay, now we have our running VM. So now let's assign some roles to it. What we're actually doing is assigning roles to a resource, a VM is a resource so is a SQL database or a web app so we can grant roles to individual resources and this will allow us to make sure people have access to exactly what they need and know more.

Okay, we'll click on the IM and we'll click Add and we're gonna go with the dev test lab. Now, this is a useful role often in the real world but as well for demonstrating RBAC because it's very easy to demonstrate stopping and starting a VM, so we're gonna use this and we need to add a user to it.

Alright, before this is complete, let's check out our other user so that you can see that we don't have any resources listed so you'll notice here there's nothing listed for any of the resources. Now, we're gonna go back and save. Alright, so this role is all set.

Now, let's go back, log in with our John Smith user and you'll see the VM is listed and if we click on it, we can stop it and now if I jump forward to when it's completed. Okay, so now we could start it back up again if we wanted to so we've enabled John Smith with the ability to have some limited permissions to specific resources, in particular this VM.

However, what if we wanted him to have permissions to start and stop all the VMs in this resource group? For that, we go to the resource group's blade and we click on IM and then we're gonna follow the steps as before.

We select the role that we want and then we add the user that we want to that role and that's it. Now John Smith can start and stop any VM in that group and this granularity will allow different engineers to access the resources and groups of resources that they need to do their job.

If you need a user to be able to create VMs inside of a specific group, find a role that best fits or optionally create one and then assign that role to the resource group and that user to the role.

Okay, that's gonna wrap up this lesson. In the next lesson, we'll cover managing security risks so if you're ready to keep learning then let's get started in the next lesson.

About the Author

Learning paths15

Ben Lambert is a software engineer and was previously the lead author for DevOps and Microsoft Azure training content at Cloud Academy. His courses and learning paths covered Cloud Ecosystem technologies such as DC/OS, configuration management tools, and containers. As a software engineer, Ben’s experience includes building highly available web and mobile apps. When he’s not building software, he’s hiking, camping, or creating video games.