Configuring Subscription and Resource Permissions

  1. Home
  2. Configuring Subscription and Resource Permissions

Go back to AZ-500 Tutorials

In this tutorial, we will understand configuring subscription and resource permissions including adding or removing Azure role assignments using the Azure portal.

Configuring subscription and resource permissions is an important aspect of managing resources in Microsoft Azure. Permissions allow users and services to perform actions on resources within a subscription, and are necessary to control access and limit privileges. Here’s a brief overview of how to configure subscription and resource permissions in Azure:

  • Understanding the Role-Based Access Control (RBAC) Model: Azure uses the RBAC model to manage access to resources. In this model, users and services are assigned roles, which determine the actions they can perform on resources. There are three types of roles in Azure: Owner, Contributor, and Reader. Owners have full control over resources, Contributors can create and manage resources, and Readers can only view resources.
  • Assigning Permissions to Users and Services: To assign permissions to users and services, you need to create a role assignment. This involves selecting a role and specifying a user or service principal to assign it to. Service principals are identities used by Azure services to authenticate with other Azure services.
  • Configuring Permissions for Resources: Permissions can also be configured for individual resources within a subscription. To do this, you can create a custom role that specifies the actions that can be performed on the resource, and then assign that role to a user or service principal.
  • Managing Permissions: Once permissions have been assigned, you can manage them using the Azure portal, PowerShell, or the Azure CLI. This involves reviewing and modifying existing role assignments, creating new role assignments, and deleting role assignments that are no longer needed.

Adding a role assignment

In Azure RBAC, for granting access to an Azure resource, you add a role assignment. For assigning role follow these steps:

  • Firstly, in the Azure portal, click All services and then select the scope that you want to grant access to. 
  • Secondly, click the specific resource for that scope.
  • Thirdly, click Access control (IAM).
  • Then, click the Role assignments tab to view the role assignments at this scope.
  • Fifthly, click Add > Add role assignment. However, if you don’t have permission to assign roles, the Add role assignment option will be disabled. Then, the Add role assignment pane opens.
  • After that, in the Role drop-down list, select a role such as Virtual Machine Contributor.
  • Then, in the Select list, select a user, group, service principal, or managed identity. However, if you don’t see the security principal in the list, then you can type in the Select box for searching the directory for display names, email addresses, and object identifiers.
  • Lastly, click Save to assign the role. And after a few moments, the security principal is assigned the role at the selected scope.

Assigning a user as an administrator of a subscription

For making a user an administrator of an Azure subscription, assign them the Owner role at the subscription scope. As the Owner role gives the user full access to all resources in the subscription, including the permission to grant access to others. 

  • Firstly, in the Azure portal, click All services and then Subscriptions.
  • Secondly, click the subscription where you want to grant access.
  • Thirdly, click Access control (IAM).
  • Fourthly, click the Role assignments tab to view the role assignments for this subscription.
  • Then, click Add > Add role assignment. However, if you don’t have permissions to assign roles, the Add role assignment option will be disabled.
  • Next, in the Role drop-down list, select the Owner role.
  • After that, in the Select list, select a user. However, if you don’t see the user in the list, you can type in the Select box to search the directory for display names and email addresses.
  • Lastly, click Save to assign the role.
AZ-500 practice tests

System-assigned managed identity

Follow the steps given below for assigning a role to a system-assigned managed identity by starting with the managed identity.

  • Firstly, in the Azure portal, open a system-assigned managed identity.
  • Secondly, in the left menu, click Identity.
  • Thirdly, under Permissions, click Azure role assignments. However, if roles are already assigned to the selected system-assigned managed identity, you see the list of role assignments.
  • Then, for changing the subscription, click the Subscription list.
  • Next, click Add role assignment (Preview).
  • After that, use the drop-down lists to select the set of resources that the role assignment applies to such as Subscription, Resource group, or resource. However, if you don’t have role assignment write permissions for the selected scope, an inline message will be displayed.
  • Then, in the Role drop-down list, select a role such as Virtual Machine Contributor.
  • Lastly, click Save to assign the role.

Removing a role assignment

In Azure RBAC, for removing access from an Azure resource, you remove a role assignment. Follow the given steps for removing a role assignment.

  • Firstly, Open Access control (IAM) at a scope like management group, subscription, resource group, or resource, where you want to remove access.
  • Secondly, click the Role Assignments tab to view all the role assignments for this subscription.
  • Thirdly, in the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.
  • After that, click Remove.
  • Lastly, in the remove role assignment message that appears, click Yes.

However, if you see a message that inherited role assignments cannot be removed, you are trying to remove a role assignment at a child’s scope. Then, you should open Access control (IAM) at the scope where the role was assigned and try again. For this, a simpler way to open Access control (IAM) at the correct scope is to look at the Scope column and click the link next to (Inherited).

configuring subscription concept in AZ-500 online course

AZ-500 Exam Practice Questions

Question: You need to grant a user the ability to create and manage virtual machines in a specific resource group. What role should you assign to the user?

A. Owner

B. Contributor

C. Reader

D. Virtual Machine Contributor

Answer: B (Contributor)

Explanation: The Contributor role allows a user to create and manage all resources in a resource group, including virtual machines. The Owner role gives the user full control over the entire subscription, which is typically not necessary for most users. The Reader role only allows the user to view resources, while the Virtual Machine Contributor role only allows the user to manage virtual machines, but not other resources.

Question: You need to give a service principal permission to read data in a storage account. Which role should you assign to the service principal?

A. Storage Account Contributor

B. Storage Account Reader

C. Storage Account Owner

D. Storage Account Data Access

Answer: B (Storage Account Reader)

Explanation: The Storage Account Reader role allows a user or service principal to view data in a storage account, but not modify it. The Storage Account Contributor role would allow the service principal to make changes to the storage account, which is not necessary if the goal is only to read data. The Storage Account Owner role gives full control over the storage account, which is also not necessary for this scenario. The Storage Account Data Access role does not exist.

Question: You want to create a custom role that allows a user to create virtual machines and manage network resources, but not modify other resources. Which permissions should you include in the custom role?

A. Microsoft.Compute/virtualMachines/*

B. Microsoft.Network/networkSecurityGroups/*

C. Microsoft.Resources/subscriptions/read

D. Microsoft.Storage/storageAccounts/*

Answer: A and B (Microsoft.Compute/virtualMachines/* and Microsoft.Network/networkSecurityGroups/*)

Explanation: To create a custom role that allows a user to create virtual machines and manage network resources, but not modify other resources, you should include the appropriate permissions for those resources. The Microsoft.Compute/virtualMachines/* permission allows the user to create and manage virtual machines, while the Microsoft.Network/networkSecurityGroups/* permission allows the user to manage network security groups. The Microsoft.Resources/subscriptions/read permission only allows the user to view the subscription, while the Microsoft.Storage/storageAccounts/* permission would allow the user to manage storage accounts, which is not necessary for this scenario.

Question: You need to revoke a user’s access to a specific resource group. Which action should you take?

A. Remove the user from the subscription.

B. Remove the user from the Contributor role in the subscription.

C. Remove the user from the Contributor role in the resource group.

D. Remove the user from the Owner role in the subscription.

Answer: C (Remove the user from the Contributor role in the resource group)

Explanation: To revoke a user’s access to a specific resource group, you should remove the user from the Contributor role in that resource group. Removing the user from the subscription or from the Contributor role in the subscription would revoke their access to all resources in the subscription, which is not necessary in this scenario. Removing the user from the Owner role in the subscription would also revoke their access to all resources in the subscription, and is typically not necessary for most users.

Reference: Microsoft Documentation

Go back to AZ-500 Tutorials

Menu