Role-Based Access Control

Short Course

Built in Azure roles


Azure provides over 100 built-in roles for role-based access control (RBAC), such as Owner, Contributor, Reader, and User Access Administrator. These roles are pre-defined to cater to common scenarios like managing resources or viewing configurations​​.


Built-in roles consist of permissions defined using Actions (allowed actions), NotActions (denied actions), and DataActions (permissions for managing data). For example, the Contributor role allows all actions except for managing role assignments.


While built-in roles can often meet general needs, you can also create custom roles if more specific permissions are required​​.

Hybrid Identity


A role definition in Azure RBAC is a set of permissions that determines what actions a user, group, or service can perform on Azure resources. It defines what can and cannot be done and is used in role assignments to grant access at different scopes, such as a subscription, resource group, or individual resource.

Role definitions consist of four main components. Actions specify what operations are allowed, while NotActions explicitly deny certain operations even if they fall under allowed actions. DataActions govern permissions related to data, such as reading or modifying storage blobs. AssignableScopes determine where the role can be assigned, such as specific subscriptions or resource groups.

Assign roles at different scopes


Assign Roles at Different Scopes

Scope defines where a role assignment applies and can be at various levels:


  • Management Groups: Encompasses multiple subscriptions.

  • Subscriptions: Covers all resources within a subscription.

  • Resource Groups: Targets resources within a specific group.

  • Resources: Applies to a single resource​​.


Permissions granted at a parent scope (e.g., a subscription) are inherited by child scopes (e.g., resource groups or individual resources). For example, assigning the Contributor role at the subscription level allows actions across all resources within the subscription​.

External Users


Guest accounts in Microsoft Entra ID are external users granted limited access to an organization's resources. They can be categorized into invited guests and B2B collaboration accounts, which differ in how they are managed and used.

User Account

Entra ID

Guest Account

Guest Users


Invited guests are individuals manually added to the organization. They receive a personalized email or link to redeem their access and typically use their existing credentials, such as a work, school, or personal Microsoft account. These accounts are suitable for short-term or project-specific collaborations with limited access to resources.

User Account

Entra ID

External Identity Provier

Guest User

Email invite

B2B Collaboration


A hybrid identity bridges on-premises and cloud environments. User accounts are created in an on-premises directory, such as Active Directory Domain Services (AD DS), and synchronized to Microsoft Entra ID using Microsoft Entra Connect. This allows users to access both on-premises and cloud resources with a single set of credentials. Hybrid identity is commonly used by organizations transitioning to the cloud or those that need to maintain both environments for operational or regulatory reasons​​.

Entra ID

Guest User

User Account

Entra ID