Introduction
Have you ever wondered what roles are available in Microsoft Azure and how they can be used to manage and control access to your cloud resources? The answer is Azure Roles. Account Administrator, Service Administrator, and Co-Administrator are the three administrator roles in Azure first used to govern resource access in Azure. After some time, role-based access control (RBAC) on Azure resources was integrated.
Azure RBAC is another authorization role that is relatively more modern, with potent control over Azure resources. RBAC has many integrated roles, can be implemented at various levels of abstraction, and presents the possibility to define new roles. When it comes to managing resources in Azure AD, such as users, groups, and domains, there are several roles known as Azure AD administrator roles.
To master roles in Azure and their management effectively, consider pursuing the AZ-900 and AZ-104 combo training. This training provides a solid foundation in Azure fundamentals and delve deeper into administration, respectively. In this blog, you will learn various roles in Azure, such as Azure classic administrator roles, Azure role-based access control (RBAC), and Azure Active Directory (AD) admin roles.
Let us first understand what Azure roles really are.
What are Roles in Azure?
Roles in Azure are a set of permissions that outline which actions are permitted to a user, a group, or a service for a certain resource or a set of resources. Roles are crucial in the context of access control because they allow granting users specific rights to perform certain operations, thus reducing the potential threats to the minimum. Azure offers wide coverage of built-in roles that can be granted to users, groups, or even Azure services almost with one click.
Azure Roles are of three types. These are:
- Azure Classic Administrator Roles
- Azure RBAC Roles
- Azure AD Admin Roles
The following diagram shows how classic subscription administrator roles, Azure RBAC roles, and Azure AD administrator roles are related.
Now that you have a basic understanding of Azure roles, let us understand different roles in Azure.
Different Azure Roles
Below, we have discussed different Azure roles with a detailed explanation for better understanding.
Azure Classic Administrator Roles
When Azure first came out, many management tools for IT were included, and with them, came a set of classic administrator roles. These roles were basic and the emphasis was on giving only administrator-level access. There are three classic administrator roles:
- Service Administrator
- Co-Administrator
- Account Administrator
Below, we have explained all these roles in the form of a table based on different factors.
| Azure Classic Administrator Roles | Limit | Permission | Description |
|---|---|---|---|
| Service Administrator | 1 per subscription | Manage all Azure resources, including creating and managing new subscriptions | The Service Administrator is the highest-level administrator in Azure and has full control over all Azure resources. |
| Co-Administrator | 200 per subscription | Manage all Azure resources, except creating new subscriptions | Co-Administrators have similar permissions to Service Administrators, but they cannot create new subscriptions. They are useful for delegating administration tasks without granting full control. |
| Account Administrator | 1 per Azure account | Manage Azure account settings, including billing and subscription management | The Account Administrator manages the Azure account settings, including billing and subscription management, but has limited control over Azure resources. |
Azure RBAC Roles
Azure RBAC is an authorization model that is based on ARM to deliver further control to resources in Azure and this comprises of the compute and storage. Azure RBAC has more than seventy constructed roles. There are four fundamental RBAC roles and the first three apply to all resource types. These are:
- Owner
- Contributor
- Reader
- User Access Administrator
Below, we have explained all these RBAC roles in a tabular form based on different factors.
| Azure RBAC Role | Permissions | Description |
|---|---|---|
| Owner | Manage all resources, including access Delegate access to others | The Owner role grants full control over a resource, including the ability to manage access and assign roles to others. |
| Contributor | Manage most resources, but not access | The Contributor role allows users to create and manage resources, but they cannot manage access or assign roles. |
| Reader | Read-only access to resources | The Reader role provides read-only access to resources, preventing users from making any changes. |
| User Access Administrator | Manage user access to resources | The User Access Administrator role enables users to manage access to resources for other users, but they cannot manage resources themselves. |
The remaining built-in roles enable the management of certain Azure resources. For example, the Virtual Machine Contributor role enables users to build and administer virtual machines.
Azure AD Administrator Roles
The Azure AD administrator roles are utilized to control the Azure AD resources in some contexts like user creation or modification, assigning administrative roles to other people, changing the passwords of users, dealing with the license of users, and domain handling. The following table enlists some of the most significant roles of Azure Active Directory administrators. These are:
- Global Administrator
- User Administrator
- Billing Administrator
| Azure AD Administrator Role | Permissions | Description |
|---|---|---|
| Global Administrator | Manage all aspects of Azure AD, including users, groups, and policies | Highest-level administrator role, with complete control over Azure AD configuration and management |
| User Administrator | Manage user accounts, including creation, deletion, and modification | Responsible for day-to-day user management, including password resets and user profile updates |
| Billing Administrator | Manage billing and subscription information, including payment methods and billing contacts | Focuses on financial management, ensuring accurate billing and subscription information |
Best Practices for Roles in Azure
Some of the best practices for roles in Azure are:
- Use built-in roles whenever possible: Built-in roles are preferred as they are more suitable to address situations as they occur compared to custom roles.
- Use custom roles when necessary: Custom roles allow more freedom and should be used to satisfy the particular requirements that your company has.
- Define assignable scopes carefully: Assignable scopes must be clearly drawn to ensure the scope of access to resources and services is controlled.
- Use role assignments to manage access: Organization roles should be used as a tool for granting access to organizational resources and services rather than relying on Azure Active Directory (AAD) group membership.
- Monitor and audit role assignments: Roles assigned to someone should be checked often and audited to make sure that the resources and services needed are properly controlled.
These are some of the best practices for Roles in Azure.
Frequently Asked Questions
Q1 – What are the three roles in Azure?
Three roles in Azure are:
- Azure Classic Administrator Roles
- Azure RBAC Roles
- Roles Admin Azure AD
Q2 – How many roles are in Azure?
There are over 120 built-in roles in Azure specifying different authorization levels for the users.
Q3 – What is the role hierarchy in Azure?
The role of hierarchy in Azure can be specified by the users at four levels:
- Management Group
- Resource Group
- Resource
- Subscription
Q4 – Where are Azure roles?
Azure roles are a collection of permissions that specify which activities are authorized to a person, group, or service for a certain resource or set of resources.
Conclusion
Roles in Azure can be considered an integral part of the Role-Based Access Control system in Azure. It provides granular access to the resources and services within that cloud environment. It is important to understand how roles are implemented in Azure so that you can commonly design roles and increase the security and usability of your Azure infrastructure. In this blog, we discussed different Azure roles along with their fundamental roles. We also explained the best practices for roles in Azure.
If you have any questions or suggestions, feel free to use the comment section below.
