Users, Groups, and Role Assignments
Create users and groups in Entra ID, assign built-in RBAC roles to control access to Azure resources, and apply the principle of least privilege.
Azure RBAC: Role-Based Access Control
Azure Role-Based Access Control (RBAC) is the authorisation system that controls who can do what on Azure resources. Instead of assigning permissions directly to individuals, you assign roles to security principals (users, groups, service principals, or managed identities) at a specific scope. This separation keeps permissions manageable as your organisation grows.
The Three RBAC Concepts
Every RBAC assignment involves three components. A security principal is who gets access (user, group, or managed identity). A role definition is what actions are allowed (e.g., read VMs, write to storage). A scope is where access applies — from broadest to narrowest: management group, subscription, resource group, or individual resource. Access is inherited downward through the scope hierarchy.
# View all role assignments in a subscription
az role assignment list \
--output table
# Check your own permissions on a resource
az role assignment list \
--assignee <your-user-principal-name> \
--output tableAll lessons in this course
- What Is Microsoft Entra ID?
- Users, Groups, and Role Assignments
- Multi-Factor Authentication and Conditional Access
- Single Sign-On and External Identities