Enterprise Mobility and Security Blog


Howdy folks,

More cool news to share – Roles Based Access Control (RBAC) for Azure is now GA!

Separation of Authority may sound like the kind of thing only people with tin foil hats spend time worrying about. But in the real world, without a great RBAC system to enable appropriate separation of authority, it’s nearly impossible for companies of any real size to responsibly use cloud services. And with the rapidly accelerating adoption of Azure in enterprises, RBAC is the now #1 request my team receives from customers looking to adopt Azure as their enterprise cloud platform.

I’ve asked Dushyant Gill, the PM in my team who has driven our RBAC efforts to write up a guest post highlighting how customers are already using the system to empower project teams while maintaining appropriate security and compliance controls.

I hope you’ll find Dushyant’s examples informative and that they give you some ideas for using Azure RBAC in your enterprise!


Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division


Greetings everyone,

I’m Dushyant Gill, one of the PM’s in the Identity team working on Azure RBAC. I am delighted to announce the general availability of Roles-Based Access Control for Azure!

Until now, to give people the ability to manage Azure you had to give them full control of an entire Azure subscription. Now, using RBAC, you can grant people only the amount of access that they need to perform their jobs. Download the generally available RBAC command-line management tools or use the Azure Management Portal (preview) to manage access for your production Azure workloads.

When it comes to identity and access, most organizations that are considering using the public cloud are concerned about two things:

  1. Ensuring that when people leave the organization they lose access to resources in the cloud.
  2. Striking the right balance between autonomy and central governance. For example, giving the project teams ability to create and manage virtual machines in the cloud, while centrally controlling the networks to which those virtual machines connect.

Azure Active Directory and Azure RBAC make it simple for you to accomplish these goals. Once you extend your Active Directory to the cloud, using Azure AD – your employees can purchase and manage Azure subscriptions using their existing work identity. These Azure subscriptions automatically connect to your Azure AD for single sign-on and access management. When you disable an AD account, it automatically loses access to all Azure subscriptions connected with your Azure AD.

Access Management for Azure Part 1 – The Bigger Picture (5 minutes)

Using Azure RBAC, you can enable self-service management of cloud resources for your project teams while retaining central control over security sensitive infrastructure. For example, a common setup is to allow project teams to create and manage their own virtual machines and storage accounts, but only allow them to connect to networks managed by a central team. Let me show you how to configure this setup.

Access Management for Azure Part 2 – Segregation of Duties Compute vs. Network (10 Minutes)

I start by creating a resource group where the project team will self-manage virtual machines and storage accounts for their project. I call this resource group ‘Pharma-Sales-ProjectForecast’.

Next, I grant people on the project team who are in charge of managing compute, the Virtual Machine Contributor role, and people who are in charge of managing storage, the Storage Account Contributor role on the project resource group.

I select the access button on the essentials pane of the resource group blade. This brings up the Users blade that lists all access assignments on the project resource group. I select the Add action to create new role assignment.

I select the Virtual Machine Contributor role for assignment.

Then, I search for, and select the group in AD that represents the people on the project team in charge of managing compute.

I repeat the role assignment process to assign the Storage Account Contributor role to people on the project team in charge of managing storage.

This completes the access configuration on the project resource group.

Next, I create the networks that I will allow the project team to use. A central networking team will manage these networks, so I place them in a different resource group that will have a different access policy. I call the resource group ‘Network’.

I create a virtual network called ‘EASTUS-VNET-01’ in the Network resource group.

Then I create subnet in the virtual network for the project. I call the subnet ‘Pharma-Sales-ProjectForecast’ (as the name of the project).

Finally, I need to give the people on the project team in charge of managing compute the ability to list and view the virtual networks in the Network resource group and the ability to join their virtual machines to their project’s subnet. First, I grant the people on the project team who are in charge of managing compute the Reader role on the Network resource group.

Access management for subnets is only possible using Azure command-line tools. Second, I use the New-AzureRoleAssignment command of Azure PowerShell to grant the people on the project team who are in charge of managing compute the Virtual Machine Contributor role on project’s subnet.

There, I have enabled the project team to self-manage virtual machines and storage accounts and connect them to their project’s subnets on centrally managed networks.

You can learn more about Azure RBAC at https://aka.ms/azurerbac. Based on our experiences working with Azure customers during the preview, we have also compiled a list of best practices to follow that you can read at https://aka.ms/azurerbacpractices.

In the coming weeks we will enable custom roles for Azure RBAC. If none of the built-in RBAC roles addresses your specific access need, you will be able to create a custom RBAC role composing the exact operations to which you wish to grant access. Stay tuned for the announcement.

We would love to hear your feedback! You can reach us on the Azure User Voice site – please prefix your suggestion with “Azure RBAC”.

Dushyant Gill (@dushyantgill)

Program Manager, Azure Active Directory