2.12 Azure RBAC, Zero Trust, and Defense in Depth
Key Takeaways
- Azure RBAC (Role-Based Access Control) manages WHO has access to WHAT Azure resources and WHAT they can do with those resources.
- Built-in RBAC roles include Owner, Contributor, Reader, and User Access Administrator — custom roles can also be created.
- The Zero Trust model assumes no user or device is trusted by default and requires verification at every access request.
- Defense in Depth is a layered security strategy with seven layers: physical, identity, perimeter, network, compute, application, and data.
- The principle of least privilege grants users only the minimum permissions needed to perform their job.
Azure RBAC, Zero Trust, and Defense in Depth
Quick Answer: RBAC controls who can do what with Azure resources (Owner, Contributor, Reader roles). Zero Trust assumes nothing is trusted — verify every request. Defense in Depth uses seven security layers from physical to data.
Azure Role-Based Access Control (RBAC)
Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management for Azure resources. It answers the question: "Who can do what on which resources?"
RBAC Components
| Component | Description | Example |
|---|---|---|
| Security principal | The entity requesting access | User, group, service principal, managed identity |
| Role definition | A collection of permissions | Owner, Contributor, Reader |
| Scope | The level at which access is applied | Management group, subscription, resource group, resource |
| Role assignment | Attaching a role to a security principal at a scope | "Assign Contributor role to User A on Resource Group X" |
Built-in RBAC Roles
| Role | Permissions | Use Case |
|---|---|---|
| Owner | Full access to all resources + can grant access to others | Subscription administrators |
| Contributor | Full access to all resources but CANNOT grant access to others | Developers who manage resources |
| Reader | View all resources but cannot make changes | Auditors, stakeholders who need visibility |
| User Access Administrator | Manage user access to Azure resources (but not manage resources themselves) | Security team managing permissions |
RBAC Inheritance
RBAC roles follow the Azure resource hierarchy:
- Assigned at Management Group → applies to all subscriptions below
- Assigned at Subscription → applies to all resource groups and resources
- Assigned at Resource Group → applies to all resources in that group
- Assigned at Resource → applies to that specific resource only
On the Exam: RBAC roles are ADDITIVE. If a user has Reader at the subscription level and Contributor at a resource group level, they have Contributor permissions on that resource group and Reader on everything else in the subscription.
Zero Trust Model
Zero Trust is a security model that assumes no user, device, or network is trustworthy by default — even if they are inside the corporate network. Every access request is fully authenticated, authorized, and encrypted before access is granted.
Zero Trust Principles
| Principle | Description |
|---|---|
| Verify explicitly | Always authenticate and authorize based on all available signals (identity, location, device, data classification, anomalies) |
| Use least privilege access | Limit user access with just-in-time (JIT) and just-enough-access (JEA) |
| Assume breach | Minimize blast radius, segment access, verify end-to-end encryption, use analytics for threat detection |
How Azure Implements Zero Trust
- Microsoft Entra ID — Identity verification with MFA and Conditional Access
- Entra ID Conditional Access — Policy-based access control
- Microsoft Defender for Cloud — Continuous security assessment
- Azure Network Security Groups — Micro-segmentation of network traffic
- Microsoft Sentinel — Security Information and Event Management (SIEM)
Defense in Depth
Defense in Depth is a strategy that employs multiple layers of security to slow down an attack and provide multiple opportunities for detection. If one layer is breached, the next layer is in place to prevent further exposure.
The Seven Layers
| Layer | Description | Azure Tools |
|---|---|---|
| 1. Physical Security | Data center access controls (Microsoft's responsibility) | Microsoft-managed: fences, guards, cameras, biometrics |
| 2. Identity & Access | Control access to infrastructure and change control | Entra ID, MFA, Conditional Access |
| 3. Perimeter | DDoS protection and firewalls at the network edge | Azure DDoS Protection, Azure Firewall |
| 4. Network | Limit communication between resources (segmentation) | NSGs, VNet isolation, Private Link |
| 5. Compute | Secure access to VMs, close unused ports, patch systems | Azure Bastion, update management, endpoint protection |
| 6. Application | Ensure applications are secure and free of vulnerabilities | Secure coding practices, WAF, vulnerability scanning |
| 7. Data | Controls to protect data (encryption, access controls) | Encryption at rest/in transit, Azure Key Vault, RBAC |
On the Exam: Data is at the CENTER of the defense-in-depth model. All other layers exist to protect the data. Physical security is the OUTERMOST layer.
Principle of Least Privilege
The principle of least privilege states that users should be granted only the minimum level of access needed to perform their job functions — nothing more.
Azure implementation:
- Grant Reader instead of Contributor if a user only needs to view resources
- Use Just-in-Time (JIT) access to grant elevated permissions temporarily
- Use Privileged Identity Management (PIM) for time-bound administrative access
- Regularly review and remove unnecessary role assignments
Which built-in RBAC role allows full access to Azure resources but CANNOT manage access for others?
Which Zero Trust principle states that users should only receive the minimum permissions needed?
In the Defense in Depth model, what is at the CENTER that all other layers protect?
If a user has Reader role at the subscription level and Contributor role on a specific resource group, what are their effective permissions?