Azure RBAC & Entra Roles: Control Access

Azure's Role-Based Access Control (RBAC) lets you assign precise permissions to users, groups, and applications across your cloud. When paired with Microsoft Entra roles, you gain end-to-end control from the directory to the resource layer.

What is Azure RBAC?

RBAC governs access to Azure resources by assigning roles at specific scopes. A role is a collection of permissions, and scopes include:

• Management group
• Subscription
• Resource group
• Individual resource

Types of Azure roles

• Built-in roles - predefined roles like Owner, Contributor, Reader, User Access Administrator.
• Custom roles - define your own permissions with JSON and assign to specific scopes.

Common built-in roles

• Owner - Full control + access control.
• Contributor - Create/manage all resources, no access control.
• Reader - View everything, no changes.
• User Access Administrator - Manage RBAC assignments only.

What is Microsoft Entra role-based access?

Entra roles control access to Microsoft 365, Entra ID (Azure AD), and identity-related features. They operate above Azure RBAC.

Common Entra roles

• Global Administrator - Full directory and service control.
• Cloud Application Administrator - Manage app registrations and enterprise apps.
• User Administrator - Create, update, delete users and groups.
• Privileged Role Administrator - Manage Entra role assignments.

RBAC vs Entra: Who does what?

Azure RBAC: Controls access to Azure resources like VMs, storage, networking.
Entra Roles: Controls access to identity services and directory management.

Best practices

• Follow least privilege: Only grant what’s needed for the task.
• Use groups: Assign roles to Entra groups, not individuals.
• Scope tightly: Prefer RG or resource-level roles over subscription-wide.
• Review regularly: Audit role assignments quarterly.
• Use PIM: Privileged Identity Management for time-bound elevation.

Terraform snippet (RBAC example)

resource "azurerm_role_assignment" "example" {
  scope                = azurerm_resource_group.example.id
  role_definition_name = "Reader"
  principal_id         = azuread_group.sre_team.id
}
      

Final thoughts

Access control isn’t just a security checkbox. It’s how you protect your budget, uptime, and compliance. Use Azure RBAC and Entra roles in tandem to create a secure, auditable, and scalable access model for your cloud estate.