Role-Based Access Control, or RBAC, is how you can manage access to resources in Azure. RBAC works by creating role assignments that can apply to different levels of your tenant. A role assignment is broken down into three elements: the security principal, the role definition, and the scope you apply it to.

Custom roles in Azure's role-based access control provide the flexibility for any organization to create roles that are not covered by the built-in roles.

We will also look at common scenarios when troubleshooting role-based access control in Azure.

Learning Objectives

  • Identify the different elements that create the role assignment
  • Configure access to resources in Azure
  • Implement a custom role
  • Troubleshoot common RBAC problems

Intended Audience

  • People who want to become Azure administrators


  • General knowledge of the Azure portal

Related Training Content

To discover more courses covering Microsoft Azure topics, visit our dedicated Azure Training Library.


RBAC provides fine-grained access management to your resources in Azure. What this does is it allows you to segregate duties between different teams in your organization. As an example, one team could be tasked with managing VMs and a subscription, or someone could be tasked with cost management, or give your IT security team access to Azure Security Center. Making these RBAC examples work is by creating role assignments. Role assignments define how you can access resources in Azure. This can be at the management group level and all the way down to the resource itself. A role assignment consists of three elements, the security principal, the role definition, and the scope you apply it to. A security principal can be a user, group, service principal, or managed identity that requires access to Azure resources. A role definition is a list of actions that you can or cannot do. Your role definition could allow you to create and manage virtual machines but prevent you from deleting them. 

The following are the most common or known RBAC roles. Owner provides full access to resources in Azure, and you can delegate access to other users. Contributor, just like the owner role, provides full access to resources in Azure, but you cannot delegate control. As the name implies, the reader can only view resources in Azure. And lastly, the user access administrator role is granted permission to manage access to Azure resources. Beyond these fundamental roles, Azure provides many built-in roles to meet your organization needs. As an example, the security admin role provides access to Azure Security Center, where they can read, edit security policies, and view and dismiss alerts. The last element is scope. In Azure, the RBAC roles can be assigned at different levels depending on how wide you want to provide access. Scope can be applied at the management group level, or at the subscription, or at the resource group, all the way down to individual resources. Combining these three elements makes the role assignments work by defining the role definition it will apply to a security principal and then is assigned to a scope.

About the Author

With over 15 years of experience in the IT industry, Eric Leonard is a Microsoft Azure MVP and a Cloud Solution Architect. Eric’s experience working with Microsoft technologies, with a strong emphasis on cloud and automation solutions, enables his clients to succeed in today’s technological environment. Eric has worked for clients in a variety of different industries including large and small enterprises, the public sector, professional services, education, and communications.

When he is not working, Eric believes in sharing his knowledge and giving back to the IT community. He is the co-organizer of the Ottawa IT community meetup, which has over 1,000 members, and he enjoys presenting and mentoring in the community.