Manage access to your Azure environment with Azure role-based access control
Managing who can access your Azure resources and subscriptions is an important part of your Azure governance strategy, and assigning group-based access rights and privileges is a good practice. Dealing with groups rather than individual users simplifies maintenance of access policies, provides consistent access management across teams, and reduces configuration errors. Azure role-based access control (Azure RBAC) is the primary method of managing access in Azure.
Azure RBAC provides detailed access management of resources in Azure. It helps you manage who has access to Azure resources, what they can do with those resources, and what scopes they can access.
When you plan your access control strategy, grant users the least privilege required to get their work done. The following image shows a suggested pattern for assigning Azure RBAC.
Figure 1: Azure roles.
When you plan your access control methodology, we recommend that you work with people in your organizations with the following roles: security and compliance, IT administration, and enterprise architect.
The Cloud Adoption Framework offers additional guidance on using Azure role-based access control in your cloud adoption efforts.
Actions
Grant resource group access:
To grant a user access to a resource group:
- Go to Resource groups.
- Select a resource group.
- Select Access control (IAM).
- Select + Add > Add role assignment.
- Select a role, and then assign access to a user, group, or service principal.
Grant subscription access:
To grant a user access to a subscription:
- Go to Subscriptions.
- Select a subscription.
- Select Access control (IAM).
- Select + Add > Add role assignment.
- Select a role, and then assign access to a user, group, or service principal.
Grant resource group access
To grant a user access to a resource group:
- Go to Resource groups.
- Select a resource group.
- Select Access control (IAM).
- Select + Add > Add role assignment.
- Select a role, and then assign access to a user, group, or service principal.
Grant subscription access
To grant a user access to a subscription:
- Go to Subscriptions.
- Select a subscription.
- Select Access control (IAM).
- Select + Add > Add role assignment.
- Select a role, and then assign access to a user, group, or service principal.
Learn more
To learn more, see: