Get startedGet started for free

Azure permission model

1. Azure permission model

This lesson will focus on Azure permission model.

2. Azure permission model

Azure permission model refers to the structure and system in place for managing and controlling access to Azure resources. Microsoft Entra ID offers two primary models for managing access: directory roles and Role-Based Access Control (RBAC). These models serve different purposes within the Azure ecosystem.

3. What is a role?

In Microsoft Entra ID, a role is a collection of permissions that define the actions a user, group, or system can perform on Azure resources. As an illustration, the Reader role provides the ability to view any resource property in the Azure portal, but doesn't allow making changes. In contrast, the Contributor role, with a higher access level, allows for changes to the underlying resources. Azure offers a comprehensive set of predefined roles and also allows the creation of custom roles if necessary.

4. Directory roles

Directory roles are a type of role focused on identity and access management within the organization and are not directly related to managing access to Azure resources (like virtual machines or storage accounts). In simpler terms, they are used to determine whether an entity is authorized to access the organization.

5. Directory roles

For instance, when entering a country, you are initially checked for a valid passport and VISA without specifying your destination cities. If your passport is expired or you lack a VISA, entry to the country is denied.

6. Directory roles use cases

Directory roles are associated with managing users and their access to Microsoft Entra ID itself. They are typically used for administrative tasks related to user accounts, groups, and directory settings. For example, IT administrators might need a directory role to aid other users who experience difficulties accessing their accounts. Alternatively, another user may require a directory role to add or remove users from a specific group.

7. Role-based access control (RBAC)

Role-Based Access Control is a framework that enables you to manage access to Azure resources by controlling who can do what within a subscription, resource group, or individual resource. This helps you assign specific roles to users, groups, or applications, allowing them to perform certain actions on resources while restricting access to others. It enables organizations to implement the principle of least privilege by assigning only the necessary permissions for users to carry out their tasks.

8. RBAC use cases

RBAC allows you to configure different permissions for different users and groups assigned only to the resources they need to use. In practice, users from a certain department should not be able to access resources that do not concern them. For example, regular users should not be able to view payroll information. Not even HR persons are allowed to see this. Only the Financial department would be permitted in this case to that particular set of files. On the other hand, the Financial department has no interest in the data warehouse components and only the BI team should be allowed to access those components. In practical terms, individuals from a specific department should only have access to resources relevant to their responsibilities.

9. RBAC inheritance

Role-based access control inheritance refers to the way permissions are propagated through different levels of the resource hierarchy. Roles can be assigned at various scopes, such as subscription, resource group, or resource level. The concept of inheritance comes into play when permissions assigned at a higher level are automatically inherited by lower levels, unless explicitly removed.

10. RBAC inheritance

Consider this example: Group A is granted the Contributor role at the subscription level, which includes two resource groups, RG1 and RG2. Due to inheritance, Group A inherits contributor permissions for all resources within these resource groups. RG1 contains a virtual machine and a storage account, and RG2 contains a web app and a database. Group A's contributor permissions extend to all resources.

11. RBAC inheritance

To restrict access to the database, the administrator explicitly removes the inherited permissions, leaving Group A with contributor rights to all resources except the database. The administrator broke the inheritance in this case.

12. Let's practice!

Let's check how well you master the Azure permission model!