![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 53%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
672 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Somansh Reddy , Thank you for reaching out. In a single line answer, RBAC is not for Azure AD but for Azure Resources, and hence with you use any programming language and implement an Authentication Library like MSAL etc, it has nothing to do with RBAC roles.
Now, let's walk you through few points here:
- RBAC: It stands for Resource-Based Access Control, by this we mean, whenever you are accessing or working with any Azure Resouces like (VMs, SQL DB Servers, VNETs, Storage etc), you would need to provide certain access-control permissions either on the subscription level or on the resource level and that's what is referred to as RBAC (in portal you would find it as IAM or Access-Control)
- Directory Roles: These roles are found under Azure AD and these roles are assigned to users, so that they are able to manage the Azure AD components, like managing the applications registered in AAD, or managing the groups, managing the Conditional Access Policies, etc.
- API Permissions(Delegated and Application Permissions): These permissions are the ones that you provide in the Application Registration that you made in AAD and for the API that you added in that application registration, for eg: on Microsoft Graph API. Now these permissions that you have applied on the API, would be added in the Access_tokens when a request is sent to AAD for accessing that API using the registered application in AAD. AAD pushes these permissions based on the ones you mentioned in the request (to AAD) and then issue you the token. Once the token is issued, you use your application to call the API and send that access_token issued by AAD along with that api call. The API-Backend receives the token, validates it and checks for the permissions mentioned in it. If the permissions are correct, the API-Backend authorizes your access and provides you the required details.
The article you mentioned https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/identity/azure-identity/README.md#authenticating-a-user-account-with-username-and-password, I checked that and it doesn't need RBAC roles to be configured anywhere. Since it uses UserName-Password hence the OAuth flow it is using is the Resource-Owner-Password Grant Flow
The client ID, client Secret and tenant ID are specific to the Application Registration that you have to perform in AAD. Do take a look at the details of Resource-Owner-Password Grant flow as mentioned in this article: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.