Identity & RBAC
Manage identities in Entra ID and grant least-privilege access with Azure RBAC.
Identity in Azure lives in Microsoft Entra ID (formerly Azure AD): users, groups, and service principals / managed identities for apps. Access to Azure resources is granted with RBAC, built from three parts:
- Security principal — who (user, group, service principal, managed identity)
- Role definition — what actions are allowed (Reader, Contributor, Owner, or custom)
- Scope — where it applies (management group → subscription → resource group → resource)
Assignments inherit downward, so granting Contributor at a resource group cascades to everything inside it. Least privilege means scoping narrowly and preferring built-in roles like Reader over Owner.
# Assign Reader on a resource group to a user
az role assignment create \
--assignee alex@contoso.com \
--role "Reader" \
--scope /subscriptions/<sub-id>/resourceGroups/rg-prod
# Give an app (managed identity) access to a Key Vault
az role assignment create \
--assignee <managed-identity-object-id> \
--role "Key Vault Secrets User" \
--scope <key-vault-resource-id>- Identify the three components of an RBAC assignment in a real scenario.
- Decide the least-privileged built-in role for “can read all resources, change none”.
- Explain how an assignment at a subscription scope affects child resource groups.
- Describe when to use a managed identity instead of a service principal secret.
Cheat Sheet▾
| Concept | Detail |
|---|---|
| Identity store | Microsoft Entra ID |
| Principal types | User, group, SP, managed identity |
| Common roles | Reader, Contributor, Owner |
| Assignment = | principal + role + scope |
| Scope levels | Mgmt group → Sub → RG → Resource |
| Inheritance | Cascades downward |
| Least privilege | Narrow scope, minimal role |
Common Interview Questions▾
What are the three parts of an Azure RBAC assignment?
A security principal (who), a role definition (what actions), and a scope (where). Together they grant specific permissions, inheriting to child scopes.
What's the difference between Contributor and Owner?
Both can manage resources, but only Owner can also assign roles to others. Contributor cannot grant access, which limits privilege escalation.
What is a managed identity?
An Entra ID identity automatically managed for an Azure resource, so it can authenticate to services like Key Vault without any stored credentials.