A Quick and Practical Guide to Microsoft’s RBAC Systems
By Daniel Laufenberg on 08/18/2024
By Daniel Laufenberg on 08/18/2024
Role-Based Access Control (RBAC) is a common approach for managing access control within organizations today. Managing resource access via RBAC allows for efficient governance by reusing existing roles. Instead of assigning access to resources individually for each user, you can define a role with a set of predefined permissions and then assign that role to users. If you need a quick overview of RBAC, I recommend reading the Red Hat blog here.
Microsoft, as one of the leading tech companies that consistently embraces the latest technological trends, also implements RBAC across many of its systems. As Microsoft expanded its product offerings, they developed different categories of RBAC systems, each designed to assign permissions and access to specific products, actions, or resources within the Microsoft ecosystem. While these developments were necessary, they have led to confusion among IT administrators and developers who work with these systems daily.
In this article, we will briefly clarify the differences between Azure Roles, Entra ID Roles, Microsoft 365 Roles, and App Roles. We will also explore real-world use cases where one or more of these RBAC systems may be needed. If you learn best through examples, this is the article for you.
Microsoft Entra ID Roles (formerly known as Azure Active Directory roles) manage access to resources within the Microsoft Entra (formerly Azure Active Directory) environment. These roles focus on identity and directory management. Examples include roles like Billing Administrator and User Administrator.
These roles technically fall under Microsoft Entra ID Roles but are service-specific. Microsoft 365 roles are configured within Microsoft Entra ID and include product-specific roles such as Exchange Administrator, Intune Administrator, and SharePoint Administrator.
Azure Roles manage access to Azure resources. Access levels can be configured at different scopes, such as the resource group level or subscription level. For example, you could assign a Virtual Machine Contributor role to a user at the resource group level, allowing them to manage VM disks, update passwords, and more.
App Roles are quite different from the aforementioned RBAC systems. These are roles you define for an application registered in your Entra ID tenant. When an authentication token is issued by the Microsoft Entra tenant, the user’s assigned app roles are attached to the token’s security roles claim. Developers can then use these claims to make authorization decisions within their applications.
For Microsoft Entra ID Roles, Microsoft 365 Roles, and Azure Roles, Microsoft provides predefined actions for each resource. You can use these predefined roles (the preferred method) or create custom roles with specific actions tailored to your needs. However, for App Roles, it is up to the application developer to define what actions can be performed.
Let's explore a few real-world scenarios and identify which type of RBAC will get the job done. The answer may involve one or more of these RBAC systems.
Assigning John access to delete Excel files stored in Azure Blob Storage in the resource group “backupexcel.”
In this case, you would assign John the "Storage Blob Data Contributor" role at the resource group level. This role will allow John to locate and delete files in Azure Blob Storage.
Thomas is building an application that calls the company's internal API hosted on Azure Web App. This application will be registered in the company’s Entra ID tenant. He wants to create a custom role where a user with this role has access to the information retrieved from the API.
In this scenario, we are configuring the application's authorization decisions based on a custom role. You can create an App Role that grants access to read data from the API. Note: Although the API is hosted on an Azure Web App, you do not need Azure Web App-specific permissions since you're not interacting with the Azure Web App resource itself. However, you may need to assign the registered application permission (via its service principal) to call the API hosted on the Azure Web App.
Emily, an accountant, needs permission to assign an "Owner" role to users on an Azure subscription.
In this situation, Emily would need either a Microsoft Entra ID Role, such as "Billing Administrator," which allows the management of Azure subscriptions, or a subscription-level Azure Role, such as "User Access Administrator," which grants her permission to assign roles to other users.
The new CTO of the company wants to understand how Microsoft 365 products are being used and configured in the company's Microsoft account, but does not want to make any updates yet.
The CTO can be assigned the "Global Reader" role within Microsoft Entra ID, which also spans Microsoft 365 services. Alternatively, they can be given specific Microsoft 365 service roles depending on what they need to access.
Hopefully, this article has helped you gain a better understanding of which RBAC system is needed for different scenarios. When you're unsure about which type of role to assign, ask yourself, “Which Microsoft product or service is this access for?” and “What is the minimum scope and access the user needs?” Answering these questions will usually point you in the right direction.
Thank you for reading!
Learn how to integrate Microsoft Entra ID with a Razor Pages app for robust access control. Follow our step-by-step guide.