AZ-900 Microsoft Azure Fundamentals Exam

Roles and Role Definitions

Azure Role-Based Access Control (RBAC) is a system that manages who has access to Azure resources. It works by assigning roles to users, groups, service principals, or managed identities. These roles determine what actions they can perform on specific resources. To see what access someone has, you can view their role assignments.

Azure provides several built-in roles that cover common access needs. Some of the most common include:

• Owner: Has full control over resources, including the ability to assign roles to others.
• Contributor: Can create and manage resources but cannot assign roles.
• Reader: Can view resources but cannot make changes.

In addition to these general roles, there are also more specific built-in roles for services like Azure Virtual Desktop, which include roles like Desktop Virtualization Contributor, Desktop Virtualization Reader, and Desktop Virtualization User. These roles allow for more granular control over administrative tasks.

If the built-in roles don't meet your organization's needs, you can create custom roles. These roles allow you to define specific sets of permissions. You can create custom roles by cloning an existing role, starting from scratch, or using a JSON file. Custom roles are stored in your Microsoft Entra directory and can be shared across subscriptions.

A role assignment links a security principal (user, group, etc.) to a role at a specific scope. The scope determines which resources the role assignment applies to. Scopes can range from a single resource to an entire management group. Roles assigned at a broader scope are inherited by resources beneath them. For example, a role assigned at the subscription level applies to all resources within that subscription.

Some roles, like Owner, are considered privileged administrator roles because they grant extensive permissions. It's important to manage these roles carefully. You can view and manage privileged role assignments in the Azure portal. You can also add conditions to constrain privileged role assignments or remove them as needed. Azure RBAC is used across many Azure services, including Azure Virtual Desktop, Synapse Analytics, and Azure Health Data Services. Each service may have its own set of built-in roles and may use RBAC in slightly different ways. For example, Synapse RBAC extends Azure RBAC to manage access to code artifacts and job execution within Synapse workspaces.

Best Practices for Implementing RBAC

Implementing Azure Role-Based Access Control (RBAC) effectively is crucial for managing access to Azure resources. A key principle is to grant the least privilege necessary to perform a task. This means users should only have the permissions required for their specific job, minimizing the risk of accidental or malicious actions. For example, instead of granting a user the "Owner" role, which provides full access, assign a more specific role like "Contributor" or "Reader" based on their needs.

Regular review of role assignments is another essential practice. Over time, user roles and responsibilities can change, and it's important to ensure that access permissions are still appropriate. Periodically auditing role assignments helps identify and remove unnecessary permissions, reducing potential security risks. This review should include not only individual users but also groups and service principals to maintain a secure environment.

Azure Policy can be used to enforce RBAC policies across your Azure environment. Azure Policy allows you to create and manage rules that ensure resources comply with your organization's standards. For example, you can create a policy that audits or denies the creation of resources that do not adhere to your RBAC guidelines. This helps maintain consistency and prevent unauthorized access.

When assigning roles, consider using built-in roles provided by Azure, which are designed for common scenarios. However, if these roles don't meet your specific needs, you can create custom roles. Custom roles allow you to define granular permissions tailored to your organization's requirements. When creating custom roles, start by cloning an existing role that has most of the permissions you need and then modify it for your scenario.

In addition to the above, it is important to understand the scope of role assignments. Access can be scoped to different levels, such as management groups, subscriptions, resource groups, or individual resources. It is best practice to assign roles at the narrowest scope possible. This ensures that users only have access to the resources they need and prevents them from accessing resources they shouldn't. Finally, remember that Azure role assignments may take up to 30 minutes to propagate. This means that changes to role assignments may not take effect immediately. It is important to keep this in mind when making changes to role assignments and to plan accordingly.

Role Assignments and Scopes

Azure role-based access control (RBAC) is a system used to manage who has access to Azure resources. To determine what access a user, group, service principal, or managed identity has, you need to look at their role assignments. These assignments define what actions they can perform on specific resources.

A role assignment consists of three main parts: a security principal, a role definition, and a scope. The security principal is the user, group, or service that is being granted access. The role definition is a collection of permissions that define what actions can be performed. The scope limits where these permissions apply, such as a management group, subscription, resource group, or individual resource.

Scopes are hierarchical, meaning permissions granted at a higher level are inherited by resources at lower levels. For example, if a user is assigned the "Reader" role at the subscription level, they will have read access to all resources within that subscription. However, you can also assign roles at more granular levels, like a specific resource group or even an individual resource, to provide more precise control over access.

When assigning roles, it's best to follow the principle of least privilege, granting only the necessary permissions at the narrowest scope possible. This helps to enhance security and reduce the risk of unauthorized access. Azure provides several built-in roles, such as "Owner," "Contributor," and "Reader," each with different levels of access. You can also create custom roles to meet specific organizational needs.

To view role assignments, you can use the Azure portal. Navigate to the "Access control (IAM)" section of a resource, subscription, or management group. Here, you can see a list of all role assignments, including the security principal, role, and scope. You can also manage role assignments from this page, adding or removing access as needed. In summary, understanding role assignments and scopes is crucial for managing access to Azure resources. By using RBAC effectively, you can ensure that users have the appropriate level of access to perform their tasks while maintaining the security of your Azure environment.

Core Concepts of Azure RBAC

Azure Role-Based Access Control (RBAC) is a system used to manage who has access to Azure resources and what they can do with them. It's a fundamental part of Azure's security model, ensuring that only authorized users can perform specific actions. RBAC is essential for maintaining the security and integrity of your cloud environment.

RBAC operates using three main components: security principals, role definitions, and scopes. A security principal is an identity that is granted permissions, such as a user, group, service principal, or managed identity. A role definition is a collection of permissions that define what actions a security principal can perform. Finally, a scope is the level at which the permissions apply, such as a management group, subscription, resource group, or individual resource.

When a security principal attempts to access an Azure resource, RBAC checks the role assignments to determine if the principal has the necessary permissions. A role assignment links a security principal to a role definition at a specific scope. If a user has the "Reader" role at the subscription level, they can view all resources within that subscription. Permissions are inherited down the hierarchy, so a role assigned at a higher level applies to all resources beneath it.

RBAC provides several benefits, including:

• Granular Access Control: Allows you to grant only the necessary permissions to users, following the principle of least privilege.
• Simplified Management: Makes it easier to manage access to resources by assigning roles to groups rather than individual users.
• Improved Security: Reduces the risk of unauthorized access and accidental changes to resources.
• Auditing and Compliance: Provides a clear audit trail of who has access to what resources, which is essential for compliance.

RBAC is used across various Azure services, including virtual machines, storage accounts, and databases. For example, you can use RBAC to grant a developer the ability to manage virtual machines in a specific resource group, while preventing them from accessing other resources. This ensures that each user has the appropriate level of access for their job function. You can manage RBAC using the Azure portal, Azure CLI, Azure PowerShell, or the REST API. These tools allow you to create, assign, and manage roles and role assignments. It's important to regularly review and update role assignments to ensure that access is still appropriate and secure.

Monitoring and Auditing RBAC

Azure Role-Based Access Control (RBAC) is a system used to manage who has access to Azure resources. To understand what access users, groups, or service principals have, you need to review their role assignments. This involves checking which roles are assigned to them at different scopes, such as management groups, subscriptions, or resource groups.

To monitor and audit RBAC, you can use the Azure portal to view role assignments. In the Azure portal, you can navigate to Microsoft Entra ID and select Users or Groups. From there, you can click on a specific user or group and select Azure role assignments to see a list of their assigned roles. This list shows all role assignments that you have permission to read, including the scope at which each role is assigned.

You can also view the owners of a subscription by going to Subscriptions and selecting the desired subscription. Then, click on Access control (IAM) and the Role assignments tab. Here, you can scroll to the Owners section to see all users with the Owner role for that subscription. This is important because the Owner role grants full access to manage everything within the subscription.

Azure also provides ways to manage privileged administrator role assignments. By navigating to Access control (IAM) for a specific resource, you can view the Privileged tab to see the count of privileged administrator role assignments at that scope. You can also manage these assignments, including adding conditions or removing them. This helps ensure that only authorized personnel have elevated access.

Additionally, Azure provides a State column in the role assignments tab, which indicates whether a role assignment is Active permanent, Active time-bound, Eligible permanent, or Eligible time-bound. This helps in understanding the duration and eligibility of each role assignment. You can also view the start and end times for time-bound assignments by adding those columns to the view. This level of detail is crucial for effective monitoring and auditing of RBAC configurations.

Conclusion

In summary, Azure RBAC is a critical component for managing access to Azure resources. It uses roles, role assignments, and scopes to control who can do what. Understanding built-in and custom roles, implementing best practices like least privilege, and regularly monitoring role assignments are essential for maintaining a secure Azure environment. By using RBAC effectively, organizations can ensure that users have the appropriate level of access to perform their tasks while protecting their resources from unauthorized access.