MultiCloud Classroom notes 09/July/2026

1. Azure Role-Based Access Control (RBAC)

Azure RBAC is an authorization system that controls who can do what on which Azure resources.

RBAC answers three questions:

  • Who → User, Group, Service Principal, Managed Identity
  • What → Role (set of permissions)
  • Where → Scope (subscription, resource group, resource)

2. Core Components of Azure RBAC

2.1 Security Principal (Who)

A security principal is an identity that can be assigned a role:

  • User
  • Group
  • Service Principal (application identity)
  • Managed Identity (Azure resource identity)

2.2 Role Definition (What)

A role definition is a collection of permissions.

Permissions define:

  • Allowed actions (read, write, delete)
  • Denied actions (optional)

Built-in Roles (Common Examples)

Role Description
Owner Full access including role assignment
Contributor Full access except role assignment
Reader View-only access
User Access Administrator Manage access only

Custom roles can also be created for fine-grained control.


2.3 Scope (Where)

Scope defines where the role applies.

Scopes (from broad to narrow):

  • Management Group
  • Subscription
  • Resource Group
  • Resource (VM, Storage Account, etc.)

Permissions are inherited down the hierarchy.


3. Azure RBAC Flow

flowchart LR
    User[User / Group] --> RoleAssignment[Role Assignment]
    RoleAssignment --> RoleDef[Role Definition]
    RoleDef --> Scope[Scope]
    Scope --> AzureResource[Azure Resource]

Install azure cli

choco install azure-cli -y

winget install -e --id Microsoft.AzureCLI

login to azure cli

tenant id

 az login --tenant 983fc701-1266-4c9b-8370-8bd90e6e66ae 

az group list --output table


az ad group create --display-name QA_team --mail-nickname Qa


az ad user create --display-name user_qa1 --password MotherIndian@123 --user-principal-name user_qa1@ramjagadeeshcloudgmail.onmicrosoft.com


az ad user create --display-name user_qa2 --password MotherIndian@123 --user-principal-name user_qa2@ramjagadeeshcloudgmail.onmicrosoft.com



az ad user show --id user_qa2@ramjagadeeshcloudgmail.onmicrosoft.com



az ad group member add --group QA_team --member-id 328e7c81-2c01-4f5b-9ecd-536a43c8678e



az ad group member add --group QA_team --member-id 8a7873f1-ef6e-4108-b18f-22161f8685cb



az ad group member check --group QA_team --member-id 8a7873f1-ef6e-4108-b18f-22161f8685cb



az ad group member check --group QA_team --member-id 328e7c81-2c01-4f5b-9ecd-536a43c8678e




az role assignment create `
    --assignee-object-id "1f7fc40a-c6c9-40c9-b033-cd5c10c9628f" `
    --assignee-principal-type "Group" `
    --role "Virtual Machine Contributor" `
    --scope "/subscriptions/2fcfb49b-f2fe-446b-8b36-0e6c39974228"

group user

task

create build_service user and add user admin group provide contrubution access

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Social Network Integration by Acurax Social Media Branding Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Visit Us On FacebookVisit Us On LinkedinVisit Us On Youtube