BACK TO ARTICLES

Microsoft Azure Roles & Subscriptions: A Brief Explanation (With Example – Step By Step)

Published on August 24, 2020

Fakhar ul Hassan

Infrastructure Consultant, Cloud Architect & Automation, DevOps, Infrastructure as Code (IaC), Ansible, Terraform

Microsoft Azure Roles & Subscriptions: A Brief Explanation (With Example – Step By Step)

Before starting our discussion on Azure administration roles, first we shall briefly explain some basic relevant concepts & terminologies:

1) Azure Account

2) Azure Subscription

3) Azure Resource Group

4) Management Group

After the above explanation, we shall explain the:

5) Azure Administration Roles

Then there shall be a practical guide / demonstration about:

6) Azure Roles Assignment (Step By Step) 

So, Let’s get started!

1) Azure Account

==================

Microsoft Azure account is an ID (i.e. Outlook or Hotmail ID trusted by Azure AD) which is used to login to the Azure Portal. You may have multiple subscriptions against one Microsoft Azure account. 

Note: The account administrator role and service administrator role is assigned to the account which is used to subscribe for Microsoft Azure.

2) Azure Subscription

======================

The Azure subscription is normally considered as logical entity linked with Microsoft Azure account. Azure subscription means how you will be billed for using the azure cloud service resources. The Azure resource usage reporting, billing and payment are controlled by Azure subscriptions. Each subscription has its own identification (ID) and billing.

3) Azure Resource Group

==========================

A resource group contain Azure resources, which is linked with Azure subscription. Every Azure Subscription has its association with Azure AD. Users and groups which belongs to that subscription are present in the Azure AD. Access to resources in a resource group are authorized and authenticated by Azure AD.

In order to access resources from a resource group, a user should be there in Azure AD associated with its subscription. User roles determine the level of access granted to a particular user for resources in a resource group. 

No alt text provided for this image

4) Management Group

======================

To efficiently manage Azure resources access, policies & compliance at subscription level, a logical grouping of subscriptions has been introduced by Azure which is called “Management Group”. All the conditions applied to a management group, are automatically inherited to all the subscriptions in that management group. Moreover, only one active directory tenant association is maintained by Azure for all the subscriptions which are linked with a single management group. 

No alt text provided for this image

5) Azure Administration Roles

===============================

5.1 Classic Roles

5.2 Azure RBAC (Role Based Access Control) Roles

5.3 Azure Active Directory Admin Roles

Note: In Azure, there are two resource management & deployment models. i.e. Classic Deployment Models and Azure Resource Manager (ARM). However, the ARM is the recommended model by the Microsoft for new resources.

No alt text provided for this image

5.1 Classic Roles

=================

There are following three types of roles in Azure classic subscription:

5.1.1 Account Administrator

Full Access to all Azure resources.

5.1.2 Service Administrator

Full Access to Azure Resources, Manage Services, Authority to assign users the Co-Administrator role

Note: By default, the Account Administrator of a new subscription has the role of Service Administrator as well.

5.1.3 Co-Administrator   

Limited Service Administrator Role 

Note: The account administrator loses access to the portal, if the service administrator has been changed. Moreover, the service administrator has the limitation that it cannot add users from other directory. For example, if a user “fakhar@somedomain.com” has the role of service administrator. Then he can add a user “hassan@somedomain.com” but he cannot add a user “steve@otherdomain.com”. 

5.2 Azure RBAC Roles

=======================

The RBAC (Role Base Access Control) helps to provide access to Azure resources using Azure resource manager deployment model. This RBAC has around 70 different builtin roles which can be assigned to achieve the custom access rights as per requirement.

 Note: Both ARM and Classic deployment models apply these roles at subscription and resource levels.

Source: Azure Documentation

5- RBAC Fundamental Roles

=============================

5.2.1 Contributor        

Create & Manage Resources and No Delegation Rights (Cannot grant access to others)

5.2.2 Reader

View Resource (Cannot make any changes to the resources)

5.2.3 Owner

Create & Manage resources and delegation rights (Owner can grant access to others)

5.2.4 User Access Administrator 

Holds root scope privileges, Helps in the management of user access to the Azure resources

 5.3 Azure AD Admin Roles

============================

5.3.1 Global Administrator    

Manage access to administrative Features in Azure AD, Access to Services Federate to Azure AD, Reset Password for end users and other administrators

5.3.2 User Administrator     

Create & Manage Users / Groups, Change Password for Other Users, Manage Support Tickets, Monitor Service Health etc. 

5.3.3 Billing Administrator   

Manages support tickets, subscriptions, purchases and monitors service health.

6) How to assign a role? (Example – Step By Step)

==================================================

Step-1: Login to Azure portal and click “Azure Active Directory, as shown below:

No alt text provided for this image

Step-2: Click on “Users”, as shown below:

No alt text provided for this image

Step-3: Click on “New user”, as shown below:

No alt text provided for this image

Step-4: Select “Create user”, enter the new user details and then click “Create” button, as shown below:

No alt text provided for this image

Step-5: See the new user has been created, as shown below:

No alt text provided for this image

Step-6: Click “Home”, as shown below:

No alt text provided for this image

Step-7: Select a resource whose access you want to grant to the newly created user (i.e. rhassan).

Note: In this example we have used an already created virtual network resource i.e. “test-vnet-1”. If you want to see how this resource was created, please check my other article http://tiny.cc/nws7lz for reference.

No alt text provided for this image

Step-8: Select “Access control (IAM)”, as shown below:

No alt text provided for this image

Step-9: Click “Role assignments”, as shown below:

No alt text provided for this image

Step-9: Click “Role assignments”, as shown below:

No alt text provided for this image

Step-10: Click “Add”, then click “Add role assignment”, as shown below:

No alt text provided for this image

Step-11: Select “Owner”, then select “Azure AD user, group or service principal” and then select the newly created user (i.e. “rhassan”) as shown below:

No alt text provided for this image

Step-12: Select “Owner”, then select “Azure AD user, group or service principal” and then select the newly created user (i.e. “rhassan”) , then click “Save” as shown below:

No alt text provided for this image

The new user (i.e. rhassan) has been granted “Owner” level rights for the resource “test-vnet-1” successfully. [See image below]

No alt text provided for this image
Written by

Fakhar ul Hassan

Infrastructure Consultant, Cloud Architect & Automation, DevOps, Infrastructure as Code (IaC), Ansible, Terraform