Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure role-based access control (RBAC) defines who can access Azure resources, what actions they can perform, and where they can perform them. This structure improves governance, security, and operational clarity across your cloud environment.
Apply least privilege to all access assignments
The principle of least privilege ensures users receive only the permissions required to perform their tasks. This approach reduces risk and improves auditability.
Start with built-in roles. Azure RBAC has built-in roles with permissions that align to common scenarios. Start with the built-in roles and only create custom roles when clearly needed. Start with job-function roles and only use privileged administrator roles (Owner, Contributor, Reader, Role Based Access Control Administrator, and User Access Administrator) when job-function roles aren't sufficient.
Assign roles with minimal permissions. Each role includes a set of permissions defined in its role definition. Select roles that grant only the permissions necessary for the user’s responsibilities. Avoid over-provisioning access.
Assign roles at the narrowest possible scope. Role scope determines where permissions apply. Assign roles at the scope needed to perform essential tasks.
Role scope Description Management group Role permissions apply to all subscriptions and resources within the management group. Subscription Role permissions apply to all resource groups and resources within the subscription. Resource group Role permissions apply to all resources within that resource group. Resource Role permissions apply only to the specific resource (for example, an Azure AI Foundry instance).
For detailed steps, see Apply Azure RBAC roles.
Use groups to manage resource access
Instead of assigning roles to individual users, assign them to Microsoft Entra ID groups. This structure improves scalability, auditability, and governance by centralizing role assignments.
Create security groups based on access scope. Define security groups that reflect the scope of access, such as at the resource, resource group, or subscription level. For example, create separate groups for development, testing, and production environments, such as AI-Developer-Dev, AI-Developer-Test, AI-Developer-Prod. This structure enforces least privilege and environment isolation. For steps to create a security group, see Manage Microsoft Entra ID groups.
Assign roles to groups at the lowest necessary scope. Apply the principle of least privilege when assigning roles to groups. Avoid assigning roles at higher scopes unless required. This approach reduces risk and simplifies audits.
Refine group structure as your environment evolves. Adjust group definitions to reflect changes in workloads, teams, or responsibilities. This refinement ensures continued clarity and control over access. For example:
Business role Business need Group name Azure RBAC role Scope of permissions Subscription owners Manage access control, governance, and billing across the subscription Subscription-Owners Owner Subscription level AI developers Build and deploy models in Azure AI Foundry AI-Foundry-Dev Contributor Resource group level Finance Review billing, usage, and cost reports Finance-Readers Reader Subscription level Limit Owner role assignments. The Owner role grants full access to manage all resources and assign roles in Azure RBAC. Limit this role to three or fewer users per subscription. Review and adjust the default Owner assignment for subscription creators as needed.
Review access regularly
Access reviews ensure that permissions remain appropriate as users change roles or projects end.
Schedule monthly or quarterly access reviews. Review both Microsoft Entra ID roles and Azure RBAC assignments. Remove unnecessary roles promptly to maintain security.
Use automated tools to streamline reviews. Use tools like Access Review (Microsoft Entra ID Premium P2) or export role assignments for manual checks. Treat access governance as ongoing maintenance.