Best practices for Azure RBAC & Viewing Role Assignments

  1. Home
  2. Best practices for Azure RBAC & Viewing Role Assignments

This tutorial will help you understand and will describe some best practices for using Azure role-based access control (Azure RBAC) and viewing role assignments. These best practices are extracted from our experience with Azure RBAC and the experiences of customers.

AZ-303 exam is retired. AZ-305 replacement is available.

Only grant the access users in need

Using Azure RBAC, you can separate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody, without any restrictions on permissions in your Azure subscription or resources, you can permit only certain actions at a particular scope.

When team is planning your access control strategy, it’s a best practice to grant users the least privilege to get the work done. The diagram given below shows a suggested pattern for using Azure RBAC.

Azure RBAC and least privilege Best practices for Azure RBAC & Viewing Role Assignments
Image Source – Microsoft

Limit the number of subscription owners

You should be having a maximum of 3 subscription owners to lessen the potential for breach by a compromised owner.

Use Azure AD Privileged Identity Management

To keep safe privileged accounts from malicious cyber-attacks, you can use Azure Active Directory Privileged Identity Management (PIM). It will lower the exposure time of privileges and increase your visibility into their use through reports and alerts. PIM will help to protect privileged accounts by providing just-in-time privileged access to Azure AD and Azure resources.

Viewing role assignments

The way that you watch the access for a user is to list their roles assignments. Follow the below mentioned steps to viewing the role assignments for a single user, group, service principal, or managed identity at the subscription scope.

  1. Visit Azure portal, choose All services and then Subscriptions.
  2. Subsequently, choose your subscription.
  3. choose Access control (IAM).
  4. Furthermore, choose the Check access tab.Access control - Check access tab
  5. Also, In the Find list, choose the type of security principal you want to check access for.
  6. Subsequently, In the search box, type a string to search the directory for display names, email addresses, or object identifiers.Check access select list
  7. Now, choose the security principal to open the assignments pane.assignments paneNow, On this pane, you can see the roles assigned to the selected security principal and the scope. If there are any denied assignments at this scope or inherited to this scope, they will be listed on the screen.
free practice test for AZ- 303

Go back to home page

Reference documentation and Image source – Quickstart: View the access a user has to Azure resources

Best practices for Azure RBAC

Menu