1. Azure Role-Based Access Control (RBAC)
Azure RBAC is an authorization system that controls who can do what on which Azure resources.
RBAC answers three questions:
- Who → User, Group, Service Principal, Managed Identity
- What → Role (set of permissions)
- Where → Scope (subscription, resource group, resource)
2. Core Components of Azure RBAC
2.1 Security Principal (Who)
A security principal is an identity that can be assigned a role:
- User
- Group
- Service Principal (application identity)
- Managed Identity (Azure resource identity)
2.2 Role Definition (What)
A role definition is a collection of permissions.
Permissions define:
- Allowed actions (read, write, delete)
- Denied actions (optional)
Built-in Roles (Common Examples)
| Role | Description |
|---|---|
| Owner | Full access including role assignment |
| Contributor | Full access except role assignment |
| Reader | View-only access |
| User Access Administrator | Manage access only |
Custom roles can also be created for fine-grained control.
2.3 Scope (Where)
Scope defines where the role applies.
Scopes (from broad to narrow):
- Management Group
- Subscription
- Resource Group
- Resource (VM, Storage Account, etc.)
Permissions are inherited down the hierarchy.
3. Azure RBAC Flow
flowchart LR
User[User / Group] --> RoleAssignment[Role Assignment]
RoleAssignment --> RoleDef[Role Definition]
RoleDef --> Scope[Scope]
Scope --> AzureResource[Azure Resource]
Install azure cli
choco install azure-cli -y
winget install -e --id Microsoft.AzureCLI
login to azure cli

az login --tenant 983fc701-1266-4c9b-8370-8bd90e6e66ae
az group list --output table
az ad group create --display-name QA_team --mail-nickname Qa
az ad user create --display-name user_qa1 --password MotherIndian@123 --user-principal-name user_qa1@ramjagadeeshcloudgmail.onmicrosoft.com
az ad user create --display-name user_qa2 --password MotherIndian@123 --user-principal-name user_qa2@ramjagadeeshcloudgmail.onmicrosoft.com
az ad user show --id user_qa2@ramjagadeeshcloudgmail.onmicrosoft.com
az ad group member add --group QA_team --member-id 328e7c81-2c01-4f5b-9ecd-536a43c8678e
az ad group member add --group QA_team --member-id 8a7873f1-ef6e-4108-b18f-22161f8685cb
az ad group member check --group QA_team --member-id 8a7873f1-ef6e-4108-b18f-22161f8685cb
az ad group member check --group QA_team --member-id 328e7c81-2c01-4f5b-9ecd-536a43c8678e
az role assignment create `
--assignee-object-id "1f7fc40a-c6c9-40c9-b033-cd5c10c9628f" `
--assignee-principal-type "Group" `
--role "Virtual Machine Contributor" `
--scope "/subscriptions/2fcfb49b-f2fe-446b-8b36-0e6c39974228"

task
create build_service user and add user admin group provide contrubution access
