What is rbac in azure

Azure RBAC Overview

Azure RBAC (Role-Based Access Control) is Microsoft's native access management system for Azure cloud services. It enables organizations to control who has access to Azure resources and what actions they can perform on those resources. Azure RBAC is built into the Azure platform and integrates with Azure Active Directory for identity and access management, providing a unified approach to security across cloud infrastructure.

Azure Built-in Roles

Azure provides several built-in roles for common scenarios:

• Owner: Full access to all resources and can assign roles to others
• Contributor: Can create and manage resources but cannot assign roles
• Reader: Can view resources but cannot make changes
• User Access Administrator: Can manage role assignments for others
• Specialized roles for specific services (Virtual Machine Contributor, SQL Database Administrator, etc.)

RBAC Scope Levels

Azure RBAC supports hierarchical scope levels, allowing granular access control:

• Management Group: Multiple subscriptions grouped together
• Subscription: Contains resource groups and resources
• Resource Group: Container for related resources
• Resource: Individual Azure resources (virtual machines, databases, etc.)

Integration with Azure Active Directory

Azure RBAC integrates with Azure AD, Microsoft's identity platform, to authenticate and authorize users. Users authenticate through Azure AD using credentials or multi-factor authentication. Once authenticated, Azure AD passes identity information to RBAC, which checks role assignments to determine resource access. This integration enables single sign-on, conditional access policies, and centralized identity management across Azure services.

Custom Roles and Permissions

Beyond built-in roles, organizations can create custom roles tailored to specific job functions. Custom roles allow precise permission assignment, supporting complex organizational structures and specialized requirements. Permissions are defined using Azure Resource Manager actions (like Microsoft.Compute/virtualMachines/read). Organizations can also use managed identities to grant Azure services access to resources without managing credentials.