Overview of Key Roles
Overview of Key Roles

As an IT professional tasked with managing resources in Azure, it’s important to understand key administrative roles and permissions within a subscription and within a resource group. It’s also important to know how to leverage Role Based Access Control (RBAC) for managing such administrative roles and permissions.

In the first part of this course, you will learn about Azure subscriptions.  You will learn about key roles within a subscription, including contributor, owner, reader, and user access administrator. You’ll also learn how to manage these roles by using RBAC. We’ll also cover subscription policies and the role they play in the management of an Azure subscription.

In the second part of the course, we’ll talk about resource groups in Azure.  We’ll touch on what they do and how they are managed. You will learn how to secure resources within a resource group via resource policies and resource locks.  You’ll also learn about resource tagging and how it can be used to manage and group Azure resources.

Rounding out this course, we’ll cover the process of moving resources from one resource group to another, as well as the deletion of resource groups altogether.

Learning Objectives

Azure Subscriptions

  • Understand the owner role
  • Understand the subscription administrator Role
  • How to manage roles and permissions with RBAC
  • Understand subscription policies

Resource Groups

  • Understanding the purpose of resource groups
  • How to leverage resource group policies
  • How to use resource locks to protect resources
  • How to leverage resource tags  
  • Moving resources between resource groups
  • Removing resource groups

Intended Audience

  • IT professionals interested in becoming Azure cloud architects
  • IT professionals preparing for Microsoft’s Azure certification exams


  • General knowledge of IT infrastructure
  • General knowledge of the Azure environment

Hello and welcome to key roles. To effectively manage Azure subscriptions and resource groups, you must be familiar with the different RBAC roles. What we're going to do here is take a look at some of the key built-in roles along with some of the other more important RBAC roles.

The four key roles that I want to introduce you to are contributor, owner, reader, and user access administrator. The contributor role is used to grant full access to manage all Azure resources. However, this role does not allow the user to whom it's been assigned to assign roles in Azure RBAC. In other words, a user with a contributor role assigned to him can only manage resources. He cannot assign roles to other users.

The owner role is similar to the contributor role. However, as you might expect, it grants additional permissions. Like the contributor role, the owner role grants the user to whom it's been assigned full access to manage all Azure resources. However, it also allows the user to assign roles to other users in Azure RBAC. The owner role can be viewed as essentially having the keys to the kingdom for whatever resource it applies to.

The reader role is pretty self-explanatory. A user that's been assigned the reader role will be able to view resources or read them, but will not be allowed to make any changes. User access administrators are allowed to manage user access to Azure resources and that's it. They have no access to the actual resources themselves. Rather, they manage the access to those resources.

Now, these four key roles are not by far the only roles that are used to manage Azure subscriptions and resource groups. There are literally dozens or maybe even hundreds of different roles that are available depending on the Azure resource that you're talking about. For example, for compute resources, we have roles like the virtual machine contributor which allows you to manage virtual machines without providing access to them. This role also blocks access to the virtual networks and storage accounts that virtual machines are connected to.

Other compute roles include virtual machine administrator login, virtual machine user login, and classic virtual machine contributor. There are even more built-in roles for networking resources, including network contributor which allows you to manage networks, but not access them.

There are several CDN-related roles as well that allow for different levels of CDN management. There are also several other networking-related roles to choose from. The same thing goes for storage, web, containers, databases, and a host of other types of Azure resources. The URL on your screen provides a complete and updated list of all the different built-in RBAC roles that come into play when managing Microsoft Azure.

Now, I should point out that you aren't going to be expected to memorize a list of hundreds of different roles, that's just not practical, but you should really familiarize yourself with the four key roles that I mentioned earlier. They include the contributor role, the owner role, the reader role, and the user access administrator role.

You should also be aware that in addition to all of these built-in roles, you can create custom roles when necessary as well. That being said, the built-in roles are more often than not sufficient for typical environments. Join me in the next lesson where I'll demonstrate how to add an owner to an Azure subscription.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.