Built-In RBAC roles

reference – https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
https://learn.microsoft.com/en-us/azure/role-based-access-control/overview

Here is a comparison chart of common Azure built-in roles and their access to resources.

Role NameDescriptionAccess to ResourcesNo Access to Resources
OwnerHas full access to all resources and can manage access to resources.Can create, read, update, and delete all resources within the subscription. Can also grant permissions to others.The Service Administrator and Co-Administrators are assigned the Owner role at the subscription scope Applies to all resource types.
Global AdministratorProvides full access to all Azure services and resources.Can manage all aspects of Azure, including subscription management, resource management, and identity and access management.N/A
ContributorCan create and manage all types of resources, but can’t grant access to others.Can create, read, update, and delete all resources within the subscription, except for access control.Access control operations, such as granting or revoking access to resources.
ReaderCan view existing resources.Can view all resources within the subscription, but can’t make any changes.Write or modify operations, such as creating or deleting resources.
User Access AdministratorCan manage user access to resources.Can manage access to resources within the subscription, but can’t create or modify resources.Resource management operations, such as creating or deleting resources.
Security AdministratorCan manage security-related operations.Can manage security-related operations, such as creating and managing security policies, but can’t create or modify resources.Resource management operations, such as creating or deleting resources.
Network ContributorCan create and manage virtual networks and associated resources.Can create, read, update, and delete virtual networks, subnets, network interfaces, and network security groups.Resource management operations, such as creating or deleting resources, outside of virtual networks.
Storage Account ContributorCan create and manage storage accounts and associated resources.Can create, read, update, and delete storage accounts, containers, and blobs.Resource management operations, such as creating or deleting resources, outside of storage accounts.
SQL Server ContributorCan create and manage SQL servers and databases.Can create, read, update, and delete SQL servers and databases.Resource management operations, such as creating or deleting resources, outside of SQL servers and databases.
App Service ContributorCan create and manage App Service plans and associated resources.Can create, read, update, and delete App Service plans, web apps, and deployment slots.Resource management operations, such as creating or deleting resources, outside of App Service plans and associated resources.
Monitoring ContributorCan manage monitoring-related operations.Can manage monitoring-related operations, such as creating and managing monitoring policies, but can’t create or modify resources.Resource management operations, such as creating or deleting resources, outside of monitoring-related operations.

Note that this is not an exhaustive list of all Azure built-in roles and their access to resources, and that the specific permissions associated with each role may vary depending on the specific Azure resources being managed. For more details about built in roles please refer below link.

Built-In roles link- https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Here is a comparison chart highlighting some of the key differences between the Owner ,Global Administrator and User Administrator roles in Azure:

RolePurposePermissionsScope
OwnerHas full access to all resources in the subscription, and can delegate access to othersCan create, read, update, and delete all resources and resource groups in the subscriptionApplies to a single subscription (Subscription Wise)
Global AdministratorHas full access to all Azure services and resources, and can delegate access to othersCan manage access, settings, and configurations for all Azure services and resources, including subscriptions, resource groups, and individual resourcesApplies to all subscriptions and Azure AD resources (Tenant Wise)
User AdministratorCan manage user accounts and reset passwordsCan create, read, update, and delete user accounts and reset passwords; can manage user groups and their memberships; can assign roles to users and can manage some Azure resources such as virtual machines and storage accounts.Can manage access to all resources and can create and manage some Azure resources within specific resource groups.(Resource-specific)
Billing AdministratorCan manage billing information, including managing subscriptions and changing billing details.Can manage billing information, including the ability to change billing details and manage subscriptions.Has access to all billing information and can manage subscriptions associated with the billing account.

While both the Owner and Global Administrator roles have full access to resources in Azure, there are some key differences between the two roles. The Owner role is specific to a single subscription, while the Global Administrator role applies to all subscriptions and Azure AD resources. The Global Administrator role also includes permissions for managing access, settings, and configurations for all Azure services and resources, while the Owner role is limited to managing resources within a single subscription.

In general, it is recommended to grant the Global Administrator role only to users who require broad access to Azure resources across multiple subscriptions, while the Owner role can be used to grant full access to resources within a single subscription.

User Administrator has more limited permissions compared to Owner and Global Administrator, but is focused specifically on managing user accounts and groups within Azure.

It is important to carefully manage access to resources within your Azure subscriptions to ensure that only authorised users and applications have access to sensitive data and configurations. You should assign roles with the minimum permissions necessary to perform the required tasks.

Here is a comparison chart of common Azure built-in roles and their permissions for different operations (Create/Rename/Move/Delete/Assign Access/Assign Policy/Read Operations) on management groups:

Role NameCreateRenameMoveDeleteAssign AccessAssign PolicyRead Operations
Owner
Global Administrator
Contributor
Management Group Contributor
Reader
Management Group Reader
User Access Administrator
Resource Policy Contributor
Security Administrator
Network Contributor

Add users and Assign Permission –https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory?view=azure-devops

Leave a Reply

Your email address will not be published. Required fields are marked *