AZ-104 Azure RBAC - Understanding Roles in Azure
- Describing RBAC
- Describing Azure Roles
- Describing Azure AD Roles
- Azure Roles vs Azure AD Roles
- RBAC Architecture
Describing RBAC
"Who can do what, where, who what and where"
Describing Azure Roles
- Owner: Full access to resources and delegates access to other users
- Reader: Provides the ability to view sources, cannot perform actions on resources
- contributor: Can create and manage resources
- User Access Administrator: Can delegate access to resources
Describing Azure Entra ID Roles
- Special set of roles for providing access to manage identity objects inside our azure tenant, to manage user application or devices not resources.
- Global Administrator: Provide access to manage AD Resources
- Billing Administrator: Perform billing tasks
- User Administrator: Can manage users and groups inside Azure Entra ID Tenant
- Helpdesk Administrator: perform password resets if SSPR is not enabled.
| Azure Roles |
Azure Entra ID Roles |
| Manage access to Azure resources |
Manage access to Azure AD Resources at tenant |
| Scope can be at multiple levels |
Scope is at tenant level |
| Support custom roles |
Support custom roles |
|
Main roles:
|
Main roles:
|
| Azure Roles | Azure Entra ID Roles |
| Control access to azure resources, VMs, Virtual Networks |
Control Access to Azure AD REsources, user objects, group devices, ad features |
| Referred to as Azure RBAC |
Built in roles |
| Built in roles |
Custom roles |
| custom roles |
Scope at Azure AD Tenant level, provide access for user that exist inside of our Azure Entra ID tenants to perform administrative functions inside of the tenant itself |
| Scope at management groups subscription groups resource groups and resources using identities that exist inside our azure AD Tenant |