1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Managing Role-Based Access Control on Azure


Start course

Role-Based Access Control, or RBAC, is how you can manage access to resources in Azure. RBAC works by creating role assignments that can apply to different levels of your tenant. A role assignment is broken down into three elements: the security principal, the role definition, and the scope you apply it to.

Custom roles in Azure's role-based access control provide the flexibility for any organization to create roles that are not covered by the built-in roles.

We will also look at common scenarios when troubleshooting role-based access control in Azure.

Learning Objectives

  • Identify the different elements that create the role assignment
  • Configure access to resources in Azure
  • Implement a custom role
  • Troubleshoot common RBAC problems

Intended Audience

  • People who want to become Azure administrators


  • General knowledge of the Azure portal

Related Training Content

To discover more courses covering Microsoft Azure topics, visit our dedicated Azure Training Library.


I hope you enjoyed learning about managing role-based access control on Azure. Let's review what you learned in this course. RBAC provides fine-grained access management to your resources in Azure. A role assignment consists of three elements, the security principal, that's the user group, service principal, or managed identity. Then we have the role definition, that's the role definition which is a list of actions that you can or cannot do and lastly, the scope that it applies to. We configured access to Azure resources by going to Access Control at the resource group level where we can also make these modifications at the management group, subscription or individual resource levels. In the resource group, we added a role assignment, checked the individual access, reviewed the role assignments and then removed the access. The Azure Activity Log provides visibility into subscription-level events that have occurred in Azure. Using the Activity Log, you can determine what operations were taken on the resources in your subscription. 

The RBAC events will be recorded as create role assignment, delete role assignment, create or update custom role definition and delete custom role definition. Activity logs are kept for only 90 days and if you need them for auditing or compliance reasons, you will need to export your logs using an event hub or a storage account. Custom roles can be created in Azure to meet the necessary requirements. You can use the Azure Cloud Shell with Azure CLI or PowerShell to create, update and delete role definitions. Adding role assignments or creating custom roles in Azure can lead to configuration errors. We reviewed some common scenarios in troubleshooting RBAC. To learn more about managing role-based access, be sure to read Microsoft's documentation. Be sure to also watch for new Microsoft Azure courses on Cloud Academy because we're always publishing new courses. Please give this course a rating. If you have any questions or comments, please let us know. Thanks for watching and happy learning.

About the Author

With over 15 years of experience in the IT industry, Eric Leonard is a Microsoft Azure MVP and a Cloud Solution Architect. Eric’s experience working with Microsoft technologies, with a strong emphasis on cloud and automation solutions, enables his clients to succeed in today’s technological environment. Eric has worked for clients in a variety of different industries including large and small enterprises, the public sector, professional services, education, and communications.

When he is not working, Eric believes in sharing his knowledge and giving back to the IT community. He is the co-organizer of the Ottawa IT community meetup, which has over 1,000 members, and he enjoys presenting and mentoring in the community.