Role

RoleLast Updated:  11th March 2025

Understanding Roles in Azure: Default and Custom Roles in Entra ID, Management Groups, Subscriptions, Resource Groups, and Resources

Technical Overview

Roles in Azure are the cornerstone of access management, enabling organisations to control who can perform specific actions on Azure resources. Whether you're managing a sprawling enterprise environment or a small-scale deployment, roles ensure that the principle of least privilege is upheld, reducing the risk of accidental or malicious changes. Azure provides a robust Role-Based Access Control (RBAC) system that operates across multiple scopes, including Entra ID (formerly Azure AD), Management Groups, Subscriptions, Resource Groups, and individual resources. Additionally, Azure allows for the creation of custom roles to address unique organisational needs.

Default Roles in Azure

Azure comes with a set of built-in roles designed to cover common access scenarios. These roles are predefined and cannot be modified, but they can be assigned to users, groups, or service principals to grant specific permissions. Let’s break down the default roles across different scopes:

1. Entra ID Roles

Entra ID roles focus on managing identity and directory-related tasks. These roles are critical for organisations that rely on Azure for identity management. Some key default roles include:

  • Global Administrator: The most powerful role in Entra ID, granting full access to all administrative features. This role should be assigned sparingly due to its extensive permissions.
  • User Administrator: Responsible for managing user accounts, including creating, updating, and deleting users, as well as resetting passwords.
  • Application Administrator: Grants permissions to manage application registrations and enterprise applications.
  • Security Administrator: Focused on managing security-related features, such as Conditional Access policies and security reports.

2. Management Group Roles

Management Groups are a hierarchical structure that allows organisations to manage access, policies, and compliance across multiple subscriptions. Default roles at this level include:

  • Owner: Grants full access to all resources within the Management Group, including the ability to delegate access to others.
  • Contributor: Allows for the creation and management of resources but does not grant permission to assign roles.
  • Reader: Provides read-only access to resources, enabling users to view configurations without making changes.

3. Subscription Roles

Subscriptions are the billing and access boundary for Azure resources. Default roles at this level include:

  • Owner: Full control over all resources within the subscription, including access delegation.
  • Contributor: Permissions to manage resources but not assign roles.
  • Reader: Read-only access to all resources within the subscription.
  • Billing Reader: Provides access to view billing information and invoices.

4. Resource Group Roles

Resource Groups are logical containers for Azure resources. The default roles here mirror those at the subscription level but are scoped to the specific Resource Group:

  • Owner: Full control over resources within the Resource Group.
  • Contributor: Manage resources within the Resource Group but cannot assign roles.
  • Reader: View-only access to resources within the Resource Group.

5. Resource Roles

At the individual resource level, the same default roles—Owner, Contributor, and Reader—apply. This granularity allows organisations to assign permissions with precision, ensuring users only have access to the resources they need.

Custom Roles in Azure

While default roles cover a wide range of scenarios, they may not always align perfectly with an organisation’s specific requirements. This is where custom roles come into play. Custom roles allow administrators to define a set of permissions tailored to their needs. These roles are created using Azure Resource Manager (ARM) templates, PowerShell, or the Azure CLI.

Key Features of Custom Roles

  • Granular Permissions: Define precise actions that a role can perform, such as read-only access to specific resource types or the ability to restart virtual machines.
  • Scope Flexibility: Assign custom roles at the Management Group, Subscription, Resource Group, or Resource level.
  • JSON Definition: Custom roles are defined using a JSON schema, which includes properties like Actions, NotActions, DataActions, and NotDataActions.

Creating a Custom Role

To create a custom role, you’ll need to define its permissions in a JSON file. Here’s an example:

{  "Name": "Custom VM Operator",  "Description": "Can start, stop, and restart virtual machines.",  "Actions": [    "Microsoft.Compute/virtualMachines/start/action",    "Microsoft.Compute/virtualMachines/deallocate/action",    "Microsoft.Compute/virtualMachines/restart/action"  ],  "NotActions": [],  "AssignableScopes": [    "/subscriptions/{subscriptionId}"  ]}

Once the JSON file is ready, you can create the role using PowerShell or the Azure CLI. For example, in PowerShell:

New-AzRoleDefinition -InputFile "CustomRole.json"

Business Relevance

Roles in Azure are not just a technical necessity; they are a strategic enabler for businesses. By implementing a well-defined role structure, organisations can:

  • Enhance Security: Minimise the risk of unauthorised access by adhering to the principle of least privilege.
  • Improve Compliance: Meet regulatory requirements by demonstrating controlled access to sensitive data and resources.
  • Streamline Operations: Simplify resource management by delegating responsibilities to the right individuals or teams.
  • Support Scalability: Efficiently manage access as the organisation grows, ensuring that new users and resources are integrated seamlessly.

Best Practices

To maximise the effectiveness of roles in Azure, consider the following best practices:

  • Use Built-In Roles When Possible: Leverage default roles to reduce complexity and ensure compatibility with Azure updates.
  • Adopt the Principle of Least Privilege: Assign the minimum permissions necessary for users to perform their tasks.
  • Regularly Review Role Assignments: Periodically audit role assignments to ensure they align with current organisational needs.
  • Document Custom Roles: Maintain clear documentation for custom roles to facilitate troubleshooting and updates.
  • Utilise Conditional Access: Combine roles with Conditional Access policies to enforce additional security measures, such as multi-factor authentication.

Relevant Industries

Roles in Azure are universally applicable across industries, but certain sectors stand to benefit significantly:

  • Finance: Protect sensitive financial data by implementing strict access controls and auditing capabilities.
  • Healthcare: Ensure compliance with regulations like HIPAA by restricting access to patient data.
  • Retail: Manage access to customer data and e-commerce platforms to prevent data breaches.
  • Government: Enforce stringent access controls to meet national security standards.
  • Technology: Enable agile development and operations by granting developers and DevOps teams the right level of access.

Conclusion

Roles in Azure are a foundational element of effective cloud governance. By understanding and leveraging both default and custom roles, organisations can achieve a balance between security, compliance, and operational efficiency. Whether you’re managing a single subscription or a complex multi-cloud environment, Azure’s role-based access control system provides the tools you need to succeed.

Related Azure Services