Back to Blog
AzureAZ-104Identity & GovernanceAdminTutorial

RBAC and Azure AD Roles: Designing Least Privilege for AZ-104

Complete AZ-104 tutorial on Azure AD / Entra ID. Learn built-in roles, PIM basics, custom roles, scope (MG/RG/resource).

Daniel Urbano
October 28, 2025
7 min read
RBAC and Azure AD Roles: Designing Least Privilege for AZ-104

RBAC and Azure AD Roles: Designing Least Privilege for AZ-104

Introduction

Role-Based Access Control (RBAC) is an essential feature of Azure that helps organizations manage access to resources securely. In the context of the AZ-104 exam, understanding RBAC is crucial for ensuring that users have the minimum permissions necessary to perform their tasks—commonly referred to as the Principle of Least Privilege. This principle not only enhances security but also simplifies management and compliance by minimizing the potential for unauthorized access to sensitive resources.

Key scenarios for implementing RBAC include managing access to Azure subscriptions, resource groups, and individual resources effectively. Azure AD roles play a significant role in RBAC by defining what actions users can perform in Azure, allowing administrators to assign these roles at various scopes—management groups, resource groups, or individual resources.

In this tutorial, we will explore the built-in roles, custom roles, and the basics of Privileged Identity Management (PIM) that are vital for implementing RBAC efficiently.

Prerequisites

Before diving into RBAC and Azure AD roles, ensure you have the following:

  1. Azure Subscription: An active Azure account to create and manage resources.
  2. RBAC Permissions: You need appropriate permissions to assign roles, such as Owner or User Access Administrator.
  3. Tools: Familiarity with Azure Portal, Azure CLI, and Azure PowerShell is beneficial.
  4. Services Enabled: Make sure Azure AD and RBAC features are enabled in your Azure environment.

Core Concepts

Definitions

  • RBAC: Role-Based Access Control, a method to regulate access to system resources based on the roles of individual users.
  • Azure AD Roles: Predefined roles provided by Azure AD that can be assigned to users or groups.
  • Custom Roles: User-defined roles that allow for specific permission sets tailored to organizational needs.
  • Scope: The level at which a role assignment is applied, including Management Groups, Resource Groups, and individual Resources.

Architecture

RBAC is built on the Azure Resource Manager (ARM) framework, which controls access to Azure resources. It consists of:

  • Security Principal: Users, groups, or service principals to whom permissions are assigned.
  • Role Definition: Defines the permissions that the role grants.
  • Scope: Determines the extent of access, which could be at the subscription, resource group, or resource level.

When to Use

RBAC is ideal for scenarios where you need to control access to Azure resources granularly, ensuring that users can only access what they need to perform their jobs.

Limitations

  • Role assignments can take several minutes to propagate.
  • There is a limit of 5,000 custom roles per Azure tenant.

Pricing Notes

RBAC is included in the Azure subscription at no additional cost.

Syntax/Configuration

Azure CLI Commands

To manage RBAC using Azure CLI, you can use the following commands:

Command Description
az role assignment create --assignee <assignee> --role <role> --scope <scope> Assigns a role to a user, group, or service principal.
az role definition list Lists all built-in and custom roles.
az role assignment list --assignee <assignee> Lists all role assignments for a specific user, group, or service principal.

PowerShell Commands

You can also manage RBAC using PowerShell:

Command Description
New-AzRoleAssignment -ObjectId <objectId> -RoleDefinitionName <roleName> -Scope <scope> Assigns a role using PowerShell.
Get-AzRoleDefinition Retrieves role definitions.
Get-AzRoleAssignment -ObjectId <objectId> Lists the role assignments for a specific object.

Azure Portal Steps

  1. Navigate to Azure Portal.
  2. Select Access Control (IAM) for the desired resource.
  3. Click on + Add and choose Add role assignment.
  4. Select the desired role and assign it to the user, group, or service principal.

Practical Examples

Example 1: Assigning a Built-in Role Using Azure CLI

az role assignment create --assignee user@example.com --role "Virtual Machine Contributor" --scope /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}

This command assigns the "Virtual Machine Contributor" role to a user at the resource group level.

Example 2: Listing Role Assignments

az role assignment list --assignee user@example.com

Use this command to view all roles assigned to a specific user.

Example 3: Creating a Custom Role

az role definition create --role-definition '{
    "Name": "Custom Reader",
    "Description": "Can read resources",
    "Actions": [
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Compute/virtualMachines/read"
    ],
    "AssignableScopes": ["/subscriptions/{subscription-id}"]
}'

This command creates a custom role named "Custom Reader" with specific permissions.

Example 4: Assigning a Custom Role

az role assignment create --assignee user@example.com --role "Custom Reader" --scope /subscriptions/{subscription-id}

This assigns the custom role created in the previous example.

Example 5: Removing a Role Assignment

az role assignment delete --assignee user@example.com --role "Virtual Machine Contributor" --scope /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}

This command removes a role assignment.

Example 6: Listing Built-in Roles

az role definition list --output table

Displays a list of all built-in roles in a table format.

Example 7: Managing PIM for Azure Roles

az role assignment create --assignee user@example.com --role "Owner" --scope /subscriptions/{subscription-id}

This command could be part of a PIM setup to allow just-in-time access to roles.

Example 8: Granting Time-Bound Access with PIM

In the Azure Portal:

  1. Go to Microsoft Entra > Privileged Identity Management.
  2. Select Azure Resources.
  3. Assign the role with a start and end date.

Real-World Scenarios

Scenario 1: Granting Temporary Access

An organization needs to grant temporary access to an Azure resource for a contractor. Using PIM, the administrator can set the role to be active for only a specified duration, greatly reducing security risks.

Scenario 2: Managing Multiple Resources

In a large organization, different teams manage various resources. Custom roles can be created that tailor permissions to specific applications or services, ensuring that team members have exactly what they need to perform their roles without excess permissions.

Scenario 3: Compliance and Auditing

An organization must ensure compliance with regulations that require strict access controls. Utilizing RBAC with detailed role assignments and the ability to audit these assignments through Azure's reporting features helps maintain compliance.

Best Practices

  1. Implement Least Privilege: Assign the minimum necessary permissions to users to perform their job functions.
  2. Use Custom Roles: Create custom roles when built-in roles do not meet your organizational needs.
  3. Regularly Review Roles: Conduct periodic reviews of role assignments to ensure users still need access.
  4. Utilize PIM: Use Privileged Identity Management to control access to sensitive resources effectively.
  5. Document Role Changes: Keep a record of role assignments and changes for auditing and compliance purposes.

Common Errors

  1. Error: "Role assignment failed."

    • Cause: Insufficient permissions to assign the role.
    • Fix: Ensure you have the necessary permissions (Owner or User Access Administrator).

  2. Error: "The role definition does not exist."

    • Cause: Attempting to assign a non-existent role.
    • Fix: Verify the role name and its availability.

  3. Error: "Role assignment propagation delay."

    • Cause: Changes take time to propagate across the system.
    • Fix: Wait for a few minutes and retry the operation.

  4. Error: "Cannot assign roles at this scope."

    • Cause: Trying to assign a role at a scope that doesn’t support it.
    • Fix: Ensure the role can be assigned at the chosen scope.

Related Services/Commands

Service Description
Azure AD Identity and access management service.
PIM Privileged Identity Management for controlling access.
Azure CLI Command-line tool for managing Azure resources.
Azure PowerShell PowerShell module for managing Azure resources.

Automation Script

Here's a simple PowerShell script to create a custom role and assign it:

# Define variables
$roleName = "Custom Reader"
$description = "Can read resources"
$assignee = "user@example.com"
$scope = "/subscriptions/{subscription-id}"

# Create custom role
$customRole = @{
    "Name" = $roleName
    "Description" = $description
    "Actions" = @("Microsoft.Storage/storageAccounts/read", "Microsoft.Compute/virtualMachines/read")
    "AssignableScopes" = @($scope)
}
New-AzRoleDefinition @customRole

# Assign custom role
New-AzRoleAssignment -ObjectId $assignee -RoleDefinitionName $roleName -Scope $scope

This script creates a custom role called "Custom Reader" and assigns it to a user.

Conclusion

In summary, RBAC and Azure AD roles provide essential mechanisms for managing access to Azure resources effectively. Understanding built-in roles, custom roles, and PIM is crucial for implementing a secure, compliant, and manageable Azure environment.

For further learning, consider exploring Microsoft Learn's AZ-104 Learning Path and practical labs to solidify your understanding of RBAC and Azure AD.

References