2.3 Azure RBAC Built-In Roles and Scopes
Key Takeaways
- Azure RBAC assignments combine a security principal, a role definition, and a scope.
- Built-in roles such as Owner, Contributor, Reader, and User Access Administrator have distinct delegation behavior.
- Scopes inherit downward from management group to subscription to resource group to resource.
- Least privilege usually means selecting the narrowest role and the narrowest scope that satisfy the stated requirement.
The Role Assignment Formula
An Azure RBAC assignment has three required ideas: who, what, and where. The security principal is the user, group, service principal, or managed identity. The role definition is the allowed actions, such as Reader or Contributor. The scope is where the assignment applies, such as a management group, subscription, resource group, or individual resource.
If any part is wrong, access is wrong. A perfect role at the wrong scope can overgrant or undergrant. A correct scope with too broad a role violates least privilege. A role assigned to the wrong group may appear correct in a table but fail in production.
Portal path: open the target scope, then choose Access control (IAM) > Add role assignment. The scope is determined by where you start. If you begin on a subscription blade, the assignment applies to the subscription and normally inherits to child resource groups and resources. If you begin on a resource group, the assignment is narrower.
Built-In Roles You Must Recognize
AZ-104 does not require memorizing every built-in role, but several appear constantly.
| Role | Core capability | Important limit or trap |
|---|---|---|
| Owner | Full resource management plus ability to assign RBAC roles. | Very broad; not least privilege for routine operations. |
| Contributor | Full resource management except assigning RBAC roles. | Can create, update, and delete many resources but cannot delegate access. |
| Reader | View resources and settings. | Cannot make changes. |
| User Access Administrator | Manage access to Azure resources. | Can assign roles but is not a general resource operator. |
| Storage Blob Data Reader | Read blob data. | Data-plane role, not general storage account management. |
| Storage Blob Data Contributor | Read, write, and delete blob data. | Does not mean subscription Contributor. |
| Monitoring Reader | Read monitoring data and settings. | Better than broad Reader when monitoring is the only need. |
| Virtual Machine Contributor | Manage VMs but not virtual networks or storage accounts broadly. | May need additional roles for related resources. |
Exam trap: Contributor cannot grant another user access. If a question says an administrator must manage resources and assign access to others, Contributor is insufficient. Owner can do both, but if the task is only to manage access, User Access Administrator may be the least-privilege answer.
Scope Hierarchy
Azure RBAC scopes form a hierarchy. Assignments inherit downward unless a deny assignment or other control blocks the operation.
| Scope level | Example | Inherits to |
|---|---|---|
| Management group | /providers/Microsoft.Management/managementGroups/corp | Child management groups, subscriptions, resource groups, resources. |
| Subscription | /subscriptions/1111... | Resource groups and resources in that subscription. |
| Resource group | /subscriptions/1111.../resourceGroups/rg-app | Resources in that resource group. |
| Resource | VM, storage account, VNet, key vault | Only that resource unless the service has child scopes. |
Use management groups when several subscriptions need the same governance or access pattern. Use subscription scope when an operations team manages the entire subscription. Use resource group scope when a team owns one workload. Use resource scope for exceptional, tightly limited access, but avoid making thousands of one-off assignments if a group and resource group boundary would be cleaner.
Portal And CLI Decision Logic
The portal is best for interpreting effective access for one person, adding a role assignment during a support workflow, or confirming inherited assignments. Use Access control (IAM) > Check access to inspect a principal. Use CLI for repeatable assignment and evidence.
Common CLI commands:
az role definition list --name Reader
az role assignment list --assignee <object-id> --all
az role assignment create --assignee <object-id> --role Reader --scope /subscriptions/<sub-id>/resourceGroups/rg-app
az role assignment delete --assignee <object-id> --role Reader --scope /subscriptions/<sub-id>/resourceGroups/rg-app
Use object IDs when names are ambiguous, especially with guests and service principals. In scripts, avoid relying only on display names. When using group-based access, assign roles to groups rather than individual users so joiner, mover, and leaver operations happen through group membership.
Least Privilege Scenarios
Scenario: The help desk must view all resources in subscription ProdSub but cannot change anything. Assign Reader at subscription scope to a security group. Do not assign Contributor, and do not assign Reader at each resource group unless the requirement excludes some resource groups.
Scenario: The platform team must manage role assignments for all subscriptions under a corporate management group but should not create VMs or storage accounts. Assign User Access Administrator at the management group. Owner would work technically but grants resource management too.
Scenario: A developer must restart and resize VMs in rg-dev. VM Contributor at resource group scope may be appropriate if network and storage management are not required. Contributor at subscription scope is too broad.
Scenario: An app managed identity must read blobs in one storage account container. Prefer a data-plane storage role at the narrowest supported scope. Management-plane Reader on the storage account lets the identity view configuration but does not automatically grant blob data access.
Troubleshooting RBAC
When access fails, ask these questions in order:
- Is the user in the correct tenant and subscription context?
- Is the assignment direct or inherited through a group?
- Is the role a management-plane role or a data-plane role?
- Is the assignment at or above the resource being accessed?
- Is a deny assignment, lock, policy, or service-specific firewall blocking the operation?
- Has propagation completed?
Exam questions often include a table of assignments. Build the effective set by walking from broadest scope to narrowest scope. Add inherited allowed actions. Then check whether anything blocks the requested action. Do not assume the most local assignment overrides a broader assignment the way NTFS deny and allow examples sometimes behave. Azure RBAC is additive unless a deny assignment or another control applies.
Which Azure RBAC role allows full resource management but does not allow assigning RBAC roles to other users?
A team needs to manage access assignments for several subscriptions under one management group but should not manage resources. Which role and scope best match least privilege?
An identity has Reader on a storage account but cannot read blob contents. What is the likely issue?