AZ-104 Objective 1.2: Manage Access to Azure Resources

September 14, 2025•30 min read•Microsoft Azure Administrator

AZ-104 Exam Focus: This objective covers Azure Role-Based Access Control (RBAC), which is fundamental to securing Azure resources. Understanding built-in roles, role assignments at different scopes, and interpreting access assignments is crucial for Azure administrators. Master these concepts for both exam success and real-world Azure security management.

Understanding Azure Role-Based Access Control (RBAC)

Azure Role-Based Access Control (RBAC) is the authorization system for managing access to Azure resources. It provides fine-grained access management by allowing you to grant users, groups, service principals, and managed identities the exact permissions they need to perform their jobs. This builds upon the user and group management covered in our guide on managing Microsoft Entra ID users and groups, as RBAC uses these identities as security principals.

Key RBAC Concepts:

Security Principal: An identity that can be assigned access (user, group, service principal, managed identity)
Role Definition: A collection of permissions that define what actions can be performed
Role Assignment: The process of attaching a role definition to a security principal at a specific scope
Scope: The set of resources that the access applies to (management group, subscription, resource group, or resource)
Permission: An action that can be performed on a resource (read, write, delete, etc.)

RBAC vs. Other Access Control Methods

RBAC Characteristics:

Identity-based: Permissions are assigned to identities, not resources
Inheritance: Permissions are inherited from parent scopes
Additive: Multiple role assignments are combined (no deny rules)
Azure-native: Built into Azure Resource Manager

Other Access Control Methods:

Access Control Lists (ACLs): Resource-specific permissions
Shared Access Signatures (SAS): Time-limited access tokens
Conditional Access: Context-based access policies
Azure Policy: Resource configuration and compliance

Manage Built-in Azure Roles

Understanding Built-in Roles

Azure provides over 100 built-in roles that cover common scenarios. These roles are predefined and cannot be modified, but they serve as templates for creating custom roles.

Core Built-in Roles

Owner:

Full access: Can manage everything including access to resources
Permissions: All actions on all resources
Use case: Subscription or resource group administrators
Scope: Can be assigned at any scope

Contributor:

Full access: Can manage everything except access to resources
Permissions: All actions except role assignments
Use case: Developers and resource managers
Scope: Can be assigned at any scope

Reader:

Read-only access: Can view all resources but cannot modify them
Permissions: Read actions only
Use case: Auditors, monitoring personnel
Scope: Can be assigned at any scope

User Access Administrator:

Access management: Can manage user access to Azure resources
Permissions: Role assignments and access management
Use case: Identity administrators
Scope: Can be assigned at any scope

Service-Specific Built-in Roles

Virtual Machine Roles:

Virtual Machine Contributor: Manage VMs but not access to them
Virtual Machine Administrator Login: Login to VMs as administrator
Virtual Machine User Login: Login to VMs as regular user

Storage Roles:

Storage Account Contributor: Manage storage accounts
Storage Blob Data Contributor: Read, write, and delete blob data
Storage Queue Data Contributor: Read, write, and delete queue data
Storage Table Data Contributor: Read, write, and delete table data

Network Roles:

Network Contributor: Manage networks but not access to them
DNS Zone Contributor: Manage DNS zones and records
Traffic Manager Contributor: Manage Traffic Manager profiles

Database Roles:

SQL DB Contributor: Manage SQL databases but not access to them
SQL Server Contributor: Manage SQL servers but not access to them
Cosmos DB Account Reader Role: Read Cosmos DB account data

Viewing and Understanding Role Definitions

Azure Portal Method

Step-by-Step Process:

Navigate to IAM: Go to any resource → Access control (IAM)
View Roles: Click "Roles" tab to see all available roles
Filter Roles: Use filters to find specific roles
View Role Details: Click on a role to see its permissions
Examine Permissions: Review Actions, NotActions, DataActions, and NotDataActions

PowerShell Method

PowerShell Commands:

# Connect to Azure
Connect-AzAccount

# Get all built-in roles
Get-AzRoleDefinition | Where-Object {$_.IsCustom -eq $false}

# Get specific role definition
Get-AzRoleDefinition -Name "Contributor"

# Get roles by name pattern
Get-AzRoleDefinition | Where-Object {$_.Name -like "*Storage*"}

# Get role permissions in detail
$role = Get-AzRoleDefinition -Name "Storage Account Contributor"
$role.Actions
$role.NotActions
$role.DataActions
$role.NotDataActions

Azure CLI Method

Azure CLI Commands:

# Login to Azure
az login

# List all built-in roles
az role definition list --query "[?isCustom==false]"

# Get specific role definition
az role definition show --name "Contributor"

# List roles by name pattern
az role definition list --query "[?contains(name, 'Storage')]"

# Get role permissions
az role definition show --name "Storage Account Contributor" --query "permissions"

Role Permission Structure

Permission Components:

Actions: Control plane operations (create, read, update, delete resources)
NotActions: Excluded control plane operations
DataActions: Data plane operations (read, write data within resources)
NotDataActions: Excluded data plane operations
AssignableScopes: Scopes where the role can be assigned

Permission Examples:

Microsoft.Storage/storageAccounts/read: Read storage account properties
Microsoft.Storage/storageAccounts/blobServices/containers/read: Read blob containers
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read: Read blob data
Microsoft.Compute/virtualMachines/start/action: Start virtual machines

Assign Roles at Different Scopes

Understanding Azure Scopes

Azure RBAC uses a hierarchical scope system where permissions are inherited from parent scopes to child scopes. Understanding scope hierarchy is crucial for effective access management.

Scope Hierarchy

Scope Levels (from broadest to narrowest):

Management Group: Organize subscriptions and apply governance
Subscription: Billing boundary and access control boundary
Resource Group: Logical container for related resources
Resource: Individual Azure resources (VM, storage account, etc.)

Scope Inheritance:

Inheritance: Permissions assigned at higher scopes are inherited by lower scopes
Additive: Multiple role assignments are combined (no deny rules)
Effective Permissions: Sum of all role assignments at current and parent scopes

Role Assignment Methods

Azure Portal Method

Step-by-Step Process:

Navigate to Scope: Go to the desired scope (management group, subscription, resource group, or resource)
Access IAM: Click "Access control (IAM)" in the left navigation
Add Role Assignment: Click "Add" → "Add role assignment"
Select Role: Choose the appropriate role from the list
Assign Access To: Select User, Group, Service Principal, or Managed Identity
Select Members: Choose specific users, groups, or identities
Review and Assign: Review the assignment and click "Save"

PowerShell Method

Role Assignment Commands:

# Assign role at subscription scope
New-AzRoleAssignment -SignInName "user@contoso.com" -RoleDefinitionName "Reader" -Scope "/subscriptions/{subscription-id}"

# Assign role at resource group scope
New-AzRoleAssignment -SignInName "user@contoso.com" -RoleDefinitionName "Contributor" -ResourceGroupName "MyResourceGroup"

# Assign role at resource scope
New-AzRoleAssignment -SignInName "user@contoso.com" -RoleDefinitionName "Storage Blob Data Contributor" -Scope "/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Storage/storageAccounts/{storage-account}"

# Assign role to a group
New-AzRoleAssignment -ObjectId "group-object-id" -RoleDefinitionName "Virtual Machine Contributor" -ResourceGroupName "MyResourceGroup"

# Assign role to service principal
New-AzRoleAssignment -ObjectId "service-principal-object-id" -RoleDefinitionName "Contributor" -Scope "/subscriptions/{subscription-id}"

# Assign role to managed identity
New-AzRoleAssignment -ObjectId "managed-identity-object-id" -RoleDefinitionName "Reader" -ResourceGroupName "MyResourceGroup"

Azure CLI Method

Azure CLI Commands:

# Assign role at subscription scope
az role assignment create --assignee "user@contoso.com" --role "Reader" --scope "/subscriptions/{subscription-id}"

# Assign role at resource group scope
az role assignment create --assignee "user@contoso.com" --role "Contributor" --resource-group "MyResourceGroup"

# Assign role at resource scope
az role assignment create --assignee "user@contoso.com" --role "Storage Blob Data Contributor" --scope "/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Storage/storageAccounts/{storage-account}"

# Assign role to a group
az role assignment create --assignee "group-object-id" --role "Virtual Machine Contributor" --resource-group "MyResourceGroup"

# Assign role to service principal
az role assignment create --assignee "service-principal-object-id" --role "Contributor" --scope "/subscriptions/{subscription-id}"

# Assign role to managed identity
az role assignment create --assignee "managed-identity-object-id" --role "Reader" --resource-group "MyResourceGroup"

Scope-Specific Considerations

Management Group Scope

Best Practices:

Governance Roles: Assign Owner, Contributor, or Reader roles for governance
Policy Management: Assign Policy Contributor for policy management
Cost Management: Assign Cost Management Contributor for cost oversight
Security: Assign Security Admin for security policy management

Common Assignments:

Enterprise Administrators: Owner role for top-level governance
IT Administrators: Contributor role for resource management
Auditors: Reader role for compliance monitoring

Subscription Scope

Best Practices:

Subscription Owners: Limit to 2-3 trusted administrators
Service Principals: Use for automated deployments and management
Resource Groups: Prefer resource group assignments over subscription assignments
Monitoring: Assign monitoring roles for observability

Common Assignments:

Subscription Administrators: Owner or Contributor roles
DevOps Teams: Contributor role for CI/CD pipelines
Monitoring Teams: Monitoring Contributor role

Resource Group Scope

Best Practices:

Team-based Access: Assign roles based on team responsibilities
Environment Separation: Different roles for dev, test, prod environments
Service-specific Roles: Use service-specific roles when available
Least Privilege: Grant minimum required permissions

Common Assignments:

Development Teams: Contributor role for development resources
Operations Teams: Service-specific contributor roles
Support Teams: Reader role for troubleshooting

Resource Scope

Best Practices:

Data Access: Use data-specific roles for data access
Service Management: Use service-specific roles for service management
Backup and Recovery: Assign backup-specific roles
Monitoring: Assign monitoring roles for specific resources

Common Assignments:

Storage Data Access: Storage Blob Data Contributor, Storage Queue Data Contributor
Database Access: SQL DB Contributor, Cosmos DB Account Reader
Virtual Machine Access: Virtual Machine Administrator Login, Virtual Machine User Login

Interpret Access Assignments

Understanding Effective Permissions

Effective permissions are the actual permissions a user has, calculated by combining all role assignments at the current scope and all parent scopes. Understanding how to interpret these assignments is crucial for troubleshooting access issues.

Calculating Effective Permissions

Permission Calculation Process:

Collect All Assignments: Gather all role assignments for the user at current and parent scopes
Combine Permissions: Merge all Actions and DataActions from assigned roles
Apply Exclusions: Remove any NotActions and NotDataActions
Determine Effective Permissions: Final set of permissions the user actually has

Example Calculation:

Subscription Level: Reader role (read permissions)
Resource Group Level: Contributor role (all permissions except access management)
Resource Level: Storage Blob Data Contributor (blob data access)
Effective Permissions: All permissions from all three roles combined

Viewing Access Assignments

Azure Portal Method

Step-by-Step Process:

Navigate to Resource: Go to the specific resource or scope
Access IAM: Click "Access control (IAM)"
View Assignments: Click "Role assignments" tab
Filter Assignments: Use filters to find specific users or roles
View Details: Click on assignments to see details
Check Access: Use "Check access" to verify specific user permissions

PowerShell Method

Access Assignment Commands:

# Get all role assignments at subscription scope
Get-AzRoleAssignment -Scope "/subscriptions/{subscription-id}"

# Get role assignments for specific user
Get-AzRoleAssignment -SignInName "user@contoso.com"

# Get role assignments at resource group scope
Get-AzRoleAssignment -ResourceGroupName "MyResourceGroup"

# Get role assignments for specific role
Get-AzRoleAssignment -RoleDefinitionName "Contributor"

# Get role assignments for specific resource
Get-AzRoleAssignment -Scope "/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Storage/storageAccounts/{storage-account}"

# Get effective permissions for a user
$user = Get-AzADUser -UserPrincipalName "user@contoso.com"
Get-AzRoleAssignment -ObjectId $user.Id

# Check if user has specific permission
$assignments = Get-AzRoleAssignment -SignInName "user@contoso.com"
foreach ($assignment in $assignments) {
    $role = Get-AzRoleDefinition -Id $assignment.RoleDefinitionId
    Write-Host "Role: $($role.Name)"
    Write-Host "Actions: $($role.Actions -join ', ')"
    Write-Host "Scope: $($assignment.Scope)"
    Write-Host "---"
}

Azure CLI Method

Azure CLI Commands:

# List all role assignments at subscription scope
az role assignment list --scope "/subscriptions/{subscription-id}"

# List role assignments for specific user
az role assignment list --assignee "user@contoso.com"

# List role assignments at resource group scope
az role assignment list --resource-group "MyResourceGroup"

# List role assignments for specific role
az role assignment list --role "Contributor"

# List role assignments for specific resource
az role assignment list --scope "/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Storage/storageAccounts/{storage-account}"

# Check access for a specific user
az role assignment list --assignee "user@contoso.com" --all

# Get detailed information about assignments
az role assignment list --assignee "user@contoso.com" --include-inherited --query "[].{Role:roleDefinitionName, Scope:scope, Principal:principalName}"

Access Troubleshooting

Common Access Issues

⚠️ Common Problems:

Insufficient Permissions: User doesn't have required role assignment
Wrong Scope: Role assigned at wrong scope level
Role Conflicts: Multiple roles with conflicting permissions
Inheritance Issues: Permissions not inherited from parent scope
Service Principal Issues: Service principal not properly configured
Conditional Access: Conditional access policies blocking access

Troubleshooting Steps

Systematic Troubleshooting Process:

Verify User Identity: Confirm the user exists and is active
Check Role Assignments: Review all role assignments for the user
Verify Scope: Ensure role is assigned at correct scope
Check Inheritance: Verify permissions are inherited from parent scopes
Review Conditional Access: Check for conditional access policies
Test with Different User: Compare with working user assignments
Check Audit Logs: Review access logs for denied attempts

PowerShell Troubleshooting Script

Comprehensive Access Analysis:

# Function to analyze user access
function Get-UserAccessAnalysis {
    param(
        [string]$UserPrincipalName,
        [string]$ResourceScope
    )
    
    Write-Host "=== Access Analysis for $UserPrincipalName ===" -ForegroundColor Green
    
    # Get user object
    $user = Get-AzADUser -UserPrincipalName $UserPrincipalName
    if (-not $user) {
        Write-Host "User not found: $UserPrincipalName" -ForegroundColor Red
        return
    }
    
    # Get all role assignments
    $assignments = Get-AzRoleAssignment -ObjectId $user.Id -IncludeClassicAdministrators
    
    Write-Host "=== Role Assignments ===" -ForegroundColor Yellow
    foreach ($assignment in $assignments) {
        $role = Get-AzRoleDefinition -Id $assignment.RoleDefinitionId
        Write-Host "Role: $($role.Name)" -ForegroundColor Cyan
        Write-Host "Scope: $($assignment.Scope)" -ForegroundColor White
        Write-Host "Assignment Type: $($assignment.ObjectType)" -ForegroundColor White
        Write-Host "Actions: $($role.Actions -join ', ')" -ForegroundColor Gray
        Write-Host "---"
    }
    
    # Check effective permissions at specific scope
    if ($ResourceScope) {
        Write-Host "=== Effective Permissions at $ResourceScope ===" -ForegroundColor Yellow
        $effectiveAssignments = $assignments | Where-Object { $_.Scope -like "$ResourceScope*" -or $ResourceScope -like "$($_.Scope)*" }
        
        $allActions = @()
        $allDataActions = @()
        
        foreach ($assignment in $effectiveAssignments) {
            $role = Get-AzRoleDefinition -Id $assignment.RoleDefinitionId
            $allActions += $role.Actions
            $allDataActions += $role.DataActions
        }
        
        Write-Host "Effective Actions: $($allActions | Sort-Object -Unique | Join-String -Separator ', ')" -ForegroundColor Green
        Write-Host "Effective Data Actions: $($allDataActions | Sort-Object -Unique | Join-String -Separator ', ')" -ForegroundColor Green
    }
}

# Usage example
Get-UserAccessAnalysis -UserPrincipalName "user@contoso.com" -ResourceScope "/subscriptions/{subscription-id}/resourceGroups/{rg-name}"

Access Assignment Best Practices

Security Best Practices

✅ Security Recommendations:

Principle of Least Privilege: Grant minimum required permissions
Regular Access Reviews: Periodically review and audit access assignments
Use Groups: Assign roles to groups rather than individual users
Service Principals: Use service principals for automated access
Managed Identities: Prefer managed identities over service principals
Conditional Access: Implement conditional access policies
Monitor Access: Use Azure AD access reviews and audit logs

Management Best Practices

Operational Recommendations:

Documentation: Document role assignments and their purposes
Naming Conventions: Use consistent naming for custom roles
Testing: Test role assignments in non-production environments
Automation: Use Infrastructure as Code for role assignments
Monitoring: Set up alerts for unusual access patterns
Backup Access: Ensure backup administrators have necessary access

Advanced RBAC Scenarios

Scenario 1: Multi-Environment Access Management

Situation: Organization has dev, test, and production environments with different access requirements.

Solution: Create environment-specific resource groups, assign different roles per environment, use conditional access for production, and implement approval workflows for production access.

Scenario 2: Service Principal Access for CI/CD

Situation: DevOps team needs automated deployment capabilities without human intervention.

Solution: Create service principals with Contributor role at resource group scope, use managed identities where possible, implement least privilege access, and monitor service principal activities.

Scenario 3: Cross-Tenant Access Management

Situation: Partner organization needs access to specific resources in your tenant.

Solution: Use Azure AD B2B collaboration, assign guest users specific roles, implement conditional access policies, and set up access reviews for external users.

RBAC Monitoring and Reporting

Key Reports for Access Management

Essential Reports:

Role Assignment Reports: Track all role assignments and changes
Access Review Reports: Monitor access review completion and outcomes
Privileged Access Reports: Track privileged role activations
Service Principal Reports: Monitor service principal activities
Guest User Reports: Track external user access
Audit Logs: Monitor all access-related activities

PowerShell Monitoring Scripts

Access Monitoring Commands:

# Get all role assignments with details
Get-AzRoleAssignment | Select-Object DisplayName, RoleDefinitionName, Scope, ObjectType | Export-Csv -Path "role-assignments.csv"

# Get users with Owner role
Get-AzRoleAssignment -RoleDefinitionName "Owner" | Where-Object {$_.ObjectType -eq "User"}

# Get service principals with Contributor role
Get-AzRoleAssignment -RoleDefinitionName "Contributor" | Where-Object {$_.ObjectType -eq "ServicePrincipal"}

# Get role assignments by scope
Get-AzRoleAssignment | Group-Object Scope | Select-Object Name, Count

# Get unused role assignments (users not signed in for 90 days)
$cutoffDate = (Get-Date).AddDays(-90)
$inactiveUsers = Get-AzADUser | Where-Object {$_.LastSignInDateTime -lt $cutoffDate}
foreach ($user in $inactiveUsers) {
    Get-AzRoleAssignment -ObjectId $user.Id
}

# Generate access summary report
$report = @()
$assignments = Get-AzRoleAssignment
foreach ($assignment in $assignments) {
    $role = Get-AzRoleDefinition -Id $assignment.RoleDefinitionId
    $report += [PSCustomObject]@{
        Principal = $assignment.DisplayName
        Role = $role.Name
        Scope = $assignment.Scope
        Type = $assignment.ObjectType
        AssignmentType = $assignment.AssignmentType
    }
}
$report | Export-Csv -Path "access-summary.csv"

Exam Preparation Tips

Key Concepts to Remember

Built-in Roles: Owner, Contributor, Reader, User Access Administrator
Service-Specific Roles: Storage, Compute, Network, Database roles
Scope Hierarchy: Management Group → Subscription → Resource Group → Resource
Permission Types: Actions (control plane) vs DataActions (data plane)
Assignment Methods: Portal, PowerShell, Azure CLI, ARM templates
Effective Permissions: Combination of all role assignments
Security Principals: Users, Groups, Service Principals, Managed Identities

Practice Questions

Sample Exam Questions:

What is the difference between the Owner and Contributor built-in roles?
Which scope has the broadest level of access in Azure RBAC?
How do you assign a role to a service principal using PowerShell?
What is the difference between Actions and DataActions in role definitions?
How are effective permissions calculated in Azure RBAC?
Which role would you assign to allow someone to manage virtual machines but not access them?
What is the purpose of the User Access Administrator role?
How do you check what permissions a user has at a specific scope?
What is the difference between a service principal and a managed identity?
Which PowerShell cmdlet is used to create a new role assignment?

AZ-104 Success Tip: Azure RBAC is fundamental to Azure security and governance. Focus on understanding the built-in roles, scope hierarchy, and how effective permissions are calculated. Practice with PowerShell and Azure CLI commands for role assignments, and understand the differences between control plane and data plane permissions. Remember that RBAC is additive (no deny rules) and permissions are inherited from parent scopes.