Introduction
Azure roles define who can do what in your cloud environment. Early Azure used three classic subscription administrator roles, i.e., Account Administrator, Service Administrator, and Co-Administrator to control access. Today, most access is managed with Azure role-based access control (Azure RBAC), a newer system that offers fine-grained permissions, built-in roles, custom roles, and assignments at different scopes such as subscription, resource group, or individual resources. For identity tasks like managing users, groups, and domains, you use Microsoft Entra ID admin roles (formerly Azure AD admin roles).
To master roles in Azure and their management effectively, consider pursuing the AZ-900 and AZ-104 combo training. This training provides a solid foundation in Azure fundamentals and delve deeper into administration, respectively.
“In this blog, you will learn various roles in Azure, such as Azure classic administrator roles, Azure role-based access control (RBAC), and Microsoft Entra ID admin roles (formerly Azure AD admin roles).”
Let us first understand what Azure roles really are.
What are Roles in Azure?
Roles in Azure are a set of permissions that outline which actions are permitted to a user, a group, or a service for a certain resource or a set of resources. Roles are crucial in the context of access control because they allow granting users specific rights to perform certain operations, thus reducing the potential threats to the minimum. Azure offers wide coverage of built-in roles that can be granted to users, groups, or even Azure services almost with one click.
Azure roles can be grouped into three types: –
- Azure Classic Administrator Roles (legacy)
- Azure RBAC Roles
- Azure AD Admin Roles (now called Microsoft Entra ID admin roles)
The following diagram shows how classic subscription administrator roles, Azure RBAC roles, and Microsoft Entra ID (Azure AD) administrator roles are related.
Note: Classic administrator roles are older and are not recommended for new setups. Most access management today uses Azure RBAC with Microsoft Entra ID identities.
Different Azure Roles
Below, we have discussed different Azure roles with a detailed explanation for better understanding.
Azure Classic Administrator Roles
When Azure first came out, many management tools for IT were included, and with them, came a set of classic administrator roles. These roles were basic and the emphasis was on giving only administrator-level access. There are three classic administrator roles:
- Service Administrator
- Co-Administrator
- Account Administrator
Below, we have explained all these roles in the form of a table based on different factors.
| Azure Classic Administrator Roles | Limit | Permission | Description |
|---|---|---|---|
| Service Administrator | 1 per subscription | The Service Administrator is a legacy subscription-level admin role. It mainly manages services inside a subscription. | The Service Administrator is the highest-level administrator in Azure and has full control over all Azure resources. |
| Co-Administrator | 200 per subscription | Manage all Azure resources, except creating new subscriptions | Co-Administrator is a legacy role used in the classic model. Today, Microsoft recommends using Azure RBAC roles like Owner, Contributor, and Reader instead. |
| Account Administrator | 1 per Azure account | Manage Azure account settings, including billing and subscription management | The Account Administrator manages the Azure account settings, including billing and subscription management, but has limited control over Azure resources. |
Azure RBAC Roles
Azure RBAC is an authorization model that is based on ARM to deliver further control to resources in Azure and this comprises of the compute and storage. Azure RBAC includes over 100 built-in roles, and Microsoft regularly adds new roles. There are four fundamental RBAC roles and the first three apply to all resource types. These are:
- Owner
- Contributor
- Reader
- User Access Administrator
Below, we have explained all these RBAC roles in a tabular form based on different factors.
| Azure RBAC Role | Permissions | Description |
|---|---|---|
| Owner | Manage all resources, including access Delegate access to others | The Owner role grants full control over a resource, including the ability to manage access and assign roles to others. |
| Contributor | Manage most resources, but not access | The Contributor role allows users to create and manage resources, but they cannot manage access or assign roles. |
| Reader | Read-only access to resources | The Reader role provides read-only access to resources, preventing users from making any changes. |
| User Access Administrator | Manage user access to resources | The User Access Administrator role enables users to manage access to resources for other users, but they cannot manage resources themselves. |
The remaining built-in roles enable the management of certain Azure resources. For example, the Virtual Machine Contributor role enables users to build and administer virtual machines.
Microsoft Entra ID Admin Roles (formerly Azure AD Administrator Roles)
The Microsoft Entra ID (formerly Azure AD) administrator roles are utilized to control the Microsoft Entra ID (formerly Azure AD) resources in some contexts like user creation or modification, assigning administrative roles to other people, changing the passwords of users, dealing with the license of users, and domain handling. The following table enlists some of the most significant roles of Azure Active Directory administrators.These are:
- Global Administrator
- User Administrator
- Billing Administrator
Note: The table below lists a few common Microsoft Entra ID admin roles. Microsoft Entra ID includes many more built-in roles, and the list may change over time.
| Microsoft Entra ID (formerly Azure AD) | Permissions | Description |
|---|---|---|
| Global Administrator | Manage all aspects of Microsoft Entra ID, including users, groups, and policies | Highest-level administrator role, with complete control over Microsoft Entra ID configuration and management |
| User Administrator | Manage user accounts, including creation, deletion, and modification | Responsible for day-to-day user management, including password resets and user profile updates |
| Billing Administrator | Manage billing and subscription information, including payment methods and billing contacts | Focuses on financial management, ensuring accurate billing and subscription information |
Best Practices for Roles in Azure
Some of the best practices for roles in Azure are:
- Use built-in roles whenever possible: Built-in roles are preferred as they are more suitable to address situations as they occur compared to custom roles.
- Use custom roles when necessary: Custom roles allow more freedom and should be used to satisfy the particular requirements that your company has.
- Define assignable scopes carefully: Assignable scopes must be clearly drawn to ensure the scope of access to resources and services is controlled.
- Use role assignments to manage access: Organization roles should be used as a tool for granting access to organizational resources and services rather than relying on Azure Active Directory (AAD) group membership.
- Monitor and audit role assignments: Roles assigned to someone should be checked often and audited to make sure that the resources and services needed are properly controlled.
These are some of the best practices for Roles in Azure.
Frequently Asked Questions
Q1 – What are the three roles in Azure?
Azure roles are categorized into three main types:
- Azure Classic Administrator Roles
- Azure RBAC Roles
- Microsoft Entra ID Administrator Roles
Q2 – How many roles are in Azure?
There are over 120 built-in roles in Azure specifying different authorization levels for the users.
Q3 – What is the role hierarchy in Azure?
The role of hierarchy in Azure can be specified by the users at four levels:
- Management Group
- Subscription
- Resource Group
- Resource
Q4 – Where are Azure roles?
Azure roles are a collection of permissions that specify which activities are authorized to a person, group, or service for a certain resource or set of resources.
Conclusion
Roles in Azure can be considered an integral part of the Role-Based Access Control system in Azure. It provides granular access to the resources and services within that cloud environment. It is important to understand how roles are implemented in Azure so that you can commonly design roles and increase the security and usability of your Azure infrastructure. In this blog, we discussed different Azure roles along with their fundamental roles. We also explained the best practices for roles in Azure.
If you have any questions or suggestions, feel free to use the comment section below.
