Q: How do I use role-based access control in Azure?
A: The new Azure portal offers role-based access control (RBAC), which provides far more flexibility than the administrator access or no access that's possible with the old portal, where you're either a co-administrator or have no access. There are currently three roles available (although this will expand in the future):
- Owner: Full control over the resources and access management
- Contributor: Same as owner, without access management capabilities
- Reader: View resources, except resource secrets
Users and groups (which could be synced from on-premises AD) can be assigned to the roles; the roles are available at the subscription, resource group, and resource level. The access rights are inherited, which means if, for example, I have contributor rights at the subscription level I also have contributor rights to all resource groups and resources within the subscription. Likewise, if I have owner rights at a resource group level I also have owner rights for all resources in the resource group.
To set the RBAC controls, navigate to the subscription, resource group, or resource within the new Azure portal by selecting Browse on the left-hand side. Then select Everything at the top, which will show all types, including subscriptions. Select the object (Subscriptions, Resource groups, or Resource) and then in the Access area select the role you want to grant to users or groups. Click Add to add people. Note that this only works in the new portal; the old portal doesn't honor the RBAC settings.
You can also use the PowerShell New-AzureRoleAssignment command to assign RBAC; for example:
New-AzureRoleAssignment -Mail [email protected] -RoleDefinitionName Contributor -ResourceGroupName JohnGroup
You can remove users and groups by selecting the role, selecting the user or group, and clicking Remove. Alternatively, you can use the PowerShell Remove-AzureRoleAssignment command.
For more information about RBAC, see the Microsoft Azure "Role-based access control in Azure Preview portal" page.