{"id":98691,"date":"2025-02-18T15:55:08","date_gmt":"2025-02-18T10:25:08","guid":{"rendered":"https:\/\/www.whizlabs.com\/blog\/?p=98691"},"modified":"2025-03-26T16:10:25","modified_gmt":"2025-03-26T10:40:25","slug":"az-800-key-concepts-for-role-based-access","status":"publish","type":"post","link":"https:\/\/www.whizlabs.com\/blog\/az-800-key-concepts-for-role-based-access\/","title":{"rendered":"What Are AZ-800 Key Concepts for Role-Based Access?"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">This blog talks about the AZ-800 Administering Windows Server Hybrid Core Infrastructure exam, which requires an understanding of Azure Role-Based Access Control (RBAC). It is a key area tested in the exam. This will enable you to pass the Microsoft <\/span><a title=\"AZ-800 Certification\" href=\"https:\/\/www.whizlabs.com\/microsoft-azure-certification-az-800\/\" target=\"_blank\" rel=\"noopener\"><b>AZ-800 Certification<\/b><\/a><span style=\"font-weight: 400;\"> exam as well as enhance your performance at work. Read through to know more about RBAC!<\/span><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 ez-toc-wrap-left counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ea7e02;color:#ea7e02\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ea7e02;color:#ea7e02\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.whizlabs.com\/blog\/az-800-key-concepts-for-role-based-access\/#What_is_Azure_Role-Based_Access\" >What is Azure Role-Based Access?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.whizlabs.com\/blog\/az-800-key-concepts-for-role-based-access\/#Key_Concepts_of_Azure_RBAC\" >Key Concepts of Azure RBAC<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.whizlabs.com\/blog\/az-800-key-concepts-for-role-based-access\/#Security_Principal\" >Security Principal<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.whizlabs.com\/blog\/az-800-key-concepts-for-role-based-access\/#Role_Definition\" >Role Definition\u00a0<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.whizlabs.com\/blog\/az-800-key-concepts-for-role-based-access\/#Scope\" >Scope<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.whizlabs.com\/blog\/az-800-key-concepts-for-role-based-access\/#Role_Assignments\" >Role Assignments\u00a0<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.whizlabs.com\/blog\/az-800-key-concepts-for-role-based-access\/#Data_Actions\" >Data Actions<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.whizlabs.com\/blog\/az-800-key-concepts-for-role-based-access\/#Benefits_of_Azure_RBAC\" >Benefits of Azure RBAC<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.whizlabs.com\/blog\/az-800-key-concepts-for-role-based-access\/#Best_Practices_for_Azure_RBAC_Implementation\" >Best Practices for Azure RBAC Implementation\u00a0<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.whizlabs.com\/blog\/az-800-key-concepts-for-role-based-access\/#Conclusion\" >Conclusion\u00a0<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"What_is_Azure_Role-Based_Access\"><\/span><b>What is Azure Role-Based Access?<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Microsoft Azure provides flexible role-based access control for Azure resources through which administrators can efficiently manage user&#8217;s access to Azure resources. This enables you to allow the level of permission and identify user access to a variety of cloud hybrid infrastructure resources. Note also that Azure Role-based access control (RBAC) is a policy-neutral access-control and authorization mechanism defined around roles and privileges, as shown in the diagram below.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-98696 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/azure-role-based-access-control-rbac.webp\" alt=\"azure role based access control rbac\" width=\"1536\" height=\"821\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/azure-role-based-access-control-rbac.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/azure-role-based-access-control-rbac-300x160.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/azure-role-based-access-control-rbac-1024x547.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/azure-role-based-access-control-rbac-768x411.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/azure-role-based-access-control-rbac-150x80.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">As shown in the diagram above, Azure RBAC is built on the Azure Resource Manager feature. It comprises a variety of components, such as role-permissions, user-role, and role-role relationships make it simple to perform user assignments. Its primary function is to help you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.<br \/>\n<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Key_Concepts_of_Azure_RBAC\"><\/span><strong>Key Concepts of Azure RBAC<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">The key concepts involved in RBAC include security principal, role definition and scope as discussed in more detail below;<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Security_Principal\"><\/span><strong>Security Principal<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">The security principal refers to any object that represents a user, group, service principal, or managed identity requesting access to Azure resources. It is important to note that most organizations using Windows Server Administration often integrate Active Directory and Microsoft Entra ID to enhance their Identity and Access Management (IAM) processes. The components making up the security principles are shown and discussed below;\u00a0\u00a0<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-98698 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/components-making-up-the-security-principles.webp\" alt=\"components making up the security principles\" width=\"1536\" height=\"499\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/components-making-up-the-security-principles.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/components-making-up-the-security-principles-300x97.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/components-making-up-the-security-principles-1024x333.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/components-making-up-the-security-principles-768x250.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/components-making-up-the-security-principles-150x49.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>User<\/b><span style=\"font-weight: 400;\">: This refers to an individual who needs access to Azure resources. For example, a developer who requires access to virtual machines for the deployment of applications is a user..<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Group<\/b><span style=\"font-weight: 400;\">: A group is a collection of users that can be managed as a single entity. For example, a software development team can be grouped together with permissions assigned collectively.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Service Principal<\/b><span style=\"font-weight: 400;\">: A service principal is an identity representing an individual or group of individuals that is created for use with applications, hosted services, and automated tools. Its purpose is to enable you to securely access Azure resources<\/span><span style=\"font-weight: 400;\"> such as WebApp or Blob Storage.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Managed Identity<\/b><span style=\"font-weight: 400;\">: This refers to an identity managed by Azure that can authenticate to any service that supports Azure AD authentication, requiring no management of credentials. For example, a VM can use a managed identity to access Azure Key Vault.<\/span><\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Role_Definition\"><\/span><b>Role Definition\u00a0<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Role definition represents a collection of permissions that can be assigned to security principals. It specifies what actions can be performed on what resources and lists all the operations that can be performed, such as read, write, edit and delete which is crucial for organisations deploying hybrid cloud infrastructure. Also note that roles can be high-level, such as owner, or specific, such as VM reader. You should also be able to make a distinction to be made between <a title=\"built-in roles\" href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/role-based-access-control\/built-in-roles\" target=\"_blank\" rel=\"nofollow noopener\"><strong>built-in roles<\/strong><\/a> and custom roles as shown and explained below;<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-98699 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/role-definition.webp\" alt=\"role definition\" width=\"1536\" height=\"821\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/role-definition.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/role-definition-300x160.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/role-definition-1024x547.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/role-definition-768x411.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/role-definition-150x80.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<p><b>Built-in roles<\/b><span style=\"font-weight: 400;\">: These are predefined roles in Azure readily available for use, They include the following;<\/span><\/p>\n<ul>\n<li><b>Owner<\/b><span style=\"font-weight: 400;\">: The owner has full access to all resources including the right to delegate access to others. For example, the IT administrator managing all resources within a subscription can be assigned the Owner role.<\/span><\/li>\n<li><b>Contributor<\/b><span style=\"font-weight: 400;\">: The contributor can create and manage all types of Azure resources but cannot grant access to others. For instance, a developer who needs to deploy applications and manage resources without need to manage access can be assigned the Contributor role.<\/span><\/li>\n<li><b>Reader<\/b><span style=\"font-weight: 400;\">: This role can only view existing Azure resources. For example, a project manager who needs to monitor the status of resources without making any changes can be assigned the Reader role.<\/span><\/li>\n<li><b>User Access Administrator<\/b><span style=\"font-weight: 400;\">: The user access administrator role has the permissions to manage user access to all types of Azure resources. For example, a project manager who needs to monitor the status of resources without making any changes can be assigned the Reader role.<\/span><\/li>\n<li><b>Custom roles<\/b><span style=\"font-weight: 400;\">: Microsoft Azure allows you to create custom roles where the built-in roles do meet your needs in configuring Windows server security. The ideal approach is to create customer roles based on existing roles. This allows you to determine elements you would like to change about the existing role and then make those modifications. Also note that you require the Owner role or the User Access Administrator role within the subscription to create custom roles.\u00a0<\/span><\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Scope\"><\/span><b>Scope<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">A scope in Azure RBAC represents a set of resources that the access applies to. It defines the boundaries within which permissions are granted and can be at multiple levels which is crucial in managing identity and access in Active Directory Management. This means that if you grant access at a parent scope, those permissions are inherited to the child scopes. For example, if you assign the Reader role to a group at the subscription scope, the members of that group can view every resource group and resource in the subscription. The diagram below shows the Azure RBAC scope;<\/span><\/p>\n<p><span style=\"font-weight: 400;\"><img decoding=\"async\" class=\"alignnone wp-image-98700 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/azure-rbac-scope.webp\" alt=\"azure rbac scope\" width=\"1536\" height=\"821\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/azure-rbac-scope.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/azure-rbac-scope-300x160.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/azure-rbac-scope-1024x547.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/azure-rbac-scope-768x411.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/azure-rbac-scope-150x80.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Management group: <\/b><span style=\"font-weight: 400;\">This is a collection of users, groups, and applications that are managed together to make it easier for the administrator to manage access for multiple entities at once. For instance, you can create a managed group for the IT department. You then assign specific roles and permissions to group members.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Subscription<\/b><span style=\"font-weight: 400;\">: This is a logical container that is used to provision resources in Azure. It is characterized by specific limits and quotas and its role is to organize and manage resource usage, billing, and access control. For example, you can subscriptions for development and production environments.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Resource<\/b><span style=\"font-weight: 400;\">: A resource is a service in Azure that supplies resources. Note that each resource type in Azure is provided by its own resource, for instance, the Storage resource will provide the storage accounts.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Resource group: <\/b><span style=\"font-weight: 400;\">This is basically a container that holds related resources for an Azure solution. It allows you to manage and deploy resources together. For instance, you can place all resources for a web application, including VM databases, and storage accounts in a single resource group for better management.\u00a0<\/span><\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Role_Assignments\"><\/span><b>Role Assignments<\/b><span style=\"font-weight: 400;\">\u00a0<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Role assignments in Azure RBAC consist of binding a security principal to a specific role at a particular scope. This grants specific permissions and determines the actions the security principal can perform on Azure resources within the given scope. The following process should be followed in assigning roles in Windows server environments;\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Determine who needs access<\/b><span style=\"font-weight: 400;\">:\u00a0 The first step is to determine who needs access. This is represented by the security principal.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Select the appropriate role<\/b><span style=\"font-weight: 400;\">: As permissions are grouped into role definitions, you need to select the appropriate role from a list of several built-in roles. If there is no corresponding built-in role, then you will need to create your own custom roles.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Identify the scope<\/b><span style=\"font-weight: 400;\">: You can assign roles at any level of scope with each scope determining how widely the role is applied. Also keep in mind that lower levels will inherit role permissions from higher levels.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Check prerequisites<\/b><span style=\"font-weight: 400;\">: You need to check the necessary in assigning roles. For example, you must be signed in as a user that is assigned a role that has write permission, such as Role Based Access Control Administrator at the scope level.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Assign role<\/b><span style=\"font-weight: 400;\">: Once you have the security principal, role, and scope all in order, you can then proceed to assign a role. You can use a variety of methods to assign roles including using the Azure portal, Azure CLI or REST APIs\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The following diagram shows the process involved in role assignment;\u00a0<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-98701 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/process-involved-in-role-assignment.webp\" alt=\"process involved in role assignment\" width=\"1536\" height=\"1750\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/process-involved-in-role-assignment.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/process-involved-in-role-assignment-263x300.webp 263w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/process-involved-in-role-assignment-899x1024.webp 899w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/process-involved-in-role-assignment-768x875.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/process-involved-in-role-assignment-1348x1536.webp 1348w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/process-involved-in-role-assignment-150x171.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">In the diagram above, the Marketing group has been assigned the Contributor role for the pharma-sales resource group. This allows the Marketing group to create or manage any Azure resource in the pharma-sales resource group. Also note that Marketing users will not access resources outside the pharma-sales resource group, unless they are part of another role assignment.<\/span><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Data_Actions\"><\/span><b>Data Actions<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Role-based access controls for control plane actions in Windows server environments are specified in the Actions and NotActions properties as stipulated in role definitions. This allows you to secure sensitive data in Windows server security environments. The following are some data plane actions you can specify in DataActions and NotDataActions:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Read a list of blobs<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Write a storage blob\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Delete a message in a queue<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">To better understand how data actions work in Azure RBAC, consider the following diagram;\u00a0\u00a0<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-98702 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/understand-azure-role-definitions.webp\" alt=\"understand azure role definitions\" width=\"1536\" height=\"821\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/understand-azure-role-definitions.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/understand-azure-role-definitions-300x160.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/understand-azure-role-definitions-1024x547.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/understand-azure-role-definitions-768x411.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/understand-azure-role-definitions-150x80.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">In the diagram above, because Alice is signed the owner role at the subscription scope, she can perform a variety of actions such as creating and deleting resources. However, because Bob is assigned the Storage Blob Data Contributor role at a storage account, he can only perform actions and DataActions related to that storage account.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Benefits_of_Azure_RBAC\"><\/span><strong>Benefits of Azure RBAC<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Azure RBAC provides you with many benefits for Windows Server Administration including the following;\u00a0<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-98703 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/benefits-of-azure-rbac.webp\" alt=\"benefits of azure rbac\" width=\"1536\" height=\"411\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/benefits-of-azure-rbac.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/benefits-of-azure-rbac-300x80.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/benefits-of-azure-rbac-1024x274.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/benefits-of-azure-rbac-768x206.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/benefits-of-azure-rbac-150x40.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Reducing administrative overheads<\/b><span style=\"font-weight: 400;\">: Azure RBAC allows a single user to manage virtual machines in a subscription and another user to manage VNs, thus reducing administrative overheads.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Maximizing operational efficiency<\/b><span style=\"font-weight: 400;\">: The Azure RBAC functionality allows users to efficiently manage all resources in a resource group, such as virtual machines, websites, and subnets<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Restricted access<\/b><span style=\"font-weight: 400;\">: Azure RBAC allows you to limit user access to only the authorized level necessary to complete a specific job. This minimizes the impact felt by the organization in case of an attack.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Data leakage prevention<\/b><span style=\"font-weight: 400;\">: Another benefit of Azure RBAC is that it helps cloud-first businesses enforce security controls around data leakages. This preserves organizational data in an event of a breach.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Improving compliance: <\/b><span style=\"font-weight: 400;\">Using Azure RBAC, you can do the following to strengthen your governance and security control. It provides a consolidated monitoring solution that allows you to have enhanced control over your governance processes.\u00a0<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Best_Practices_for_Azure_RBAC_Implementation\"><\/span><b>Best Practices for Azure RBAC Implementation\u00a0<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">The following best practices implementing <a title=\"Azure RBAC\" href=\"https:\/\/en.wikipedia.org\/wiki\/Role-based_access_control\" target=\"_blank\" rel=\"nofollow noopener\"><strong>Azure RBAC<\/strong><\/a> are crucial for organizations that use Windows server administration and operate in hybrid cloud infrastructure environments;\u00a0<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-98704 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/best-practices-for-azure-rbac-implementation.webp\" alt=\"best practices for azure rbac implementation\" width=\"1536\" height=\"500\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/best-practices-for-azure-rbac-implementation.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/best-practices-for-azure-rbac-implementation-300x98.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/best-practices-for-azure-rbac-implementation-1024x333.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/best-practices-for-azure-rbac-implementation-768x250.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/best-practices-for-azure-rbac-implementation-150x49.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Segregate duties<\/b><span style=\"font-weight: 400;\">: Ensure that you use Azure RBAC to segregate duties within your team. This prevents incidences of collusion and other fraudulent activities.\u00a0\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Limit the number of subscription owners<\/b><span style=\"font-weight: 400;\">: Best practice is that the maximum should be 3 subscription owners. This is implemented to reduce the potential for breach by a compromised owner.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Implement principle of least privilege:<\/b><span style=\"font-weight: 400;\"> It is best practice in Azure security to grant users the least privilege to get their work done. This entails avoiding assigning broader roles as they can lead to broader scopes and hence greater attack surface.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Limit privileged administrator role assignments: <\/b><span style=\"font-weight: 400;\">Consider<\/span> <span style=\"font-weight: 400;\">removing unnecessary privileged role assignments to reduce the attack surface. Also use a narrow scope, such as resource group or resource, instead of a broader scope, such as a subscription when assigning privileged administrator roles.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Assign roles to groups, not users: <\/b><span style=\"font-weight: 400;\">To effectively and securely manage role assignments, avoid assigning roles directly to users. Instead, assign roles to groups as this minimizes the number of role assignments.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Assign roles using the unique role ID: <\/b><span style=\"font-weight: 400;\">Ensure that you assign roles using unique IDs not role names. This maintains the security of the cloud environment in cases where you need to rename your roles.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Avoid using a wildcard: <\/b><span style=\"font-weight: 400;\">Wildcards should not be used when creating custom roles as they can lead to the granting of excessive access. You should instead specify Actions\u00a0and\u00a0DataActions\u00a0explicitly instead of using the wildcard (*) character.<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span><b>Conclusion\u00a0<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">This blog gives you the perspective of a candidate for the AZ 800 Administering the Windows Server Hybrid Core Infrastructure exam, you deploy, package, secure, and configure Windows Server workloads using on-premises, hybrid, and cloud technologies. You, therefore, need a solid understanding of the operations of Azure RBAC, such as in Active Directory Management and Azure hybrid services, as explained in this blog. This allows you to ensure that the creation of roles is as secure as possible while adhering to IAM requirements, you can experiment the above through our <\/span><a title=\"hands-on labs!\" href=\"https:\/\/www.whizlabs.com\/hands-on-labs\/\" target=\"_blank\" rel=\"noopener\"><b>hands-on labs!<\/b><\/a><span style=\"font-weight: 400;\"> Talk to our experts in case of queries!<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog talks about the AZ-800 Administering Windows Server Hybrid Core Infrastructure exam, which requires an understanding of Azure Role-Based Access Control (RBAC). It is a key area tested in the exam. This will enable you to pass the Microsoft AZ-800 Certification exam as well as enhance your performance at work. Read through to know more about RBAC! What is Azure Role-Based Access? Microsoft Azure provides flexible role-based access control for Azure resources through which administrators can efficiently manage user&#8217;s access to Azure resources. This enables you to allow the level of permission and identify user access to a variety [&hellip;]<\/p>\n","protected":false},"author":439,"featured_media":98695,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[15],"tags":[5255,5254,4848],"class_list":["post-98691","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-azure","tag-administering-windows-server-hybrid-core-infrastructure","tag-az-800","tag-az-800-exam"],"uagb_featured_image_src":{"full":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/what-are-az-800-key-concepts-for-role-based-access.webp",1536,864,false],"thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/what-are-az-800-key-concepts-for-role-based-access-150x150.webp",150,150,true],"medium":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/what-are-az-800-key-concepts-for-role-based-access-300x169.webp",300,169,true],"medium_large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/what-are-az-800-key-concepts-for-role-based-access-768x432.webp",768,432,true],"large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/what-are-az-800-key-concepts-for-role-based-access-1024x576.webp",1024,576,true],"1536x1536":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/what-are-az-800-key-concepts-for-role-based-access.webp",1536,864,false],"2048x2048":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/what-are-az-800-key-concepts-for-role-based-access.webp",1536,864,false],"profile_24":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/what-are-az-800-key-concepts-for-role-based-access-24x24.webp",24,24,true],"profile_48":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/what-are-az-800-key-concepts-for-role-based-access-48x48.webp",48,48,true],"profile_96":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/what-are-az-800-key-concepts-for-role-based-access-96x96.webp",96,96,true],"profile_150":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/what-are-az-800-key-concepts-for-role-based-access-150x150.webp",150,150,true],"profile_300":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/what-are-az-800-key-concepts-for-role-based-access-300x300.webp",300,300,true],"tptn_thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/what-are-az-800-key-concepts-for-role-based-access-250x250.webp",250,250,true],"web-stories-poster-portrait":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/what-are-az-800-key-concepts-for-role-based-access-640x853.webp",640,853,true],"web-stories-publisher-logo":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/what-are-az-800-key-concepts-for-role-based-access-96x96.webp",96,96,true],"web-stories-thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/02\/what-are-az-800-key-concepts-for-role-based-access-150x84.webp",150,84,true]},"uagb_author_info":{"display_name":"Suneel Moopanar","author_link":"https:\/\/www.whizlabs.com\/blog\/author\/suneel-moopanar\/"},"uagb_comment_info":0,"uagb_excerpt":"This blog talks about the AZ-800 Administering Windows Server Hybrid Core Infrastructure exam, which requires an understanding of Azure Role-Based Access Control (RBAC). It is a key area tested in the exam. This will enable you to pass the Microsoft AZ-800 Certification exam as well as enhance your performance at work. Read through to know&hellip;","_links":{"self":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/98691","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/users\/439"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/comments?post=98691"}],"version-history":[{"count":12,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/98691\/revisions"}],"predecessor-version":[{"id":98716,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/98691\/revisions\/98716"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media\/98695"}],"wp:attachment":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media?parent=98691"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/categories?post=98691"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/tags?post=98691"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}