Azure AD Roles Vs Role-Based Access Control (RBAC)

Introduction 

 

Sometimes, we may have confusion between two terms - Azure AD roles and Azure roles i.e. role-based access control in Azure. In this article, I will explain some of the core differentiation between those two terms.
 

What are Azure AD Roles?

 

Azure AD is nothing but an identity store in Azure. Here we can define users, groups, applications, and service principles. These users can authenticate onto Azure and they can access resources that are part of Azure subscription.
 
We can assign Azure AD roles to a user and these permissions are normally given to manage the various aspects of Azure AD.
 
Let’s say we want to give a user the ability to register applications in Azure, then we can assign them as application administrator role or let's say we want to give the ability for a user to manage groups, then we can assign the group's administrator role to the user.
 

What is Role-Based Access Control?

 
On the other hand, role-based access control (RBAC) is meant to authorize a user to use resources in Azure.
 
So for example, you could give a role for a user to go ahead and give them the ability to create a storage account or to manage resource groups.
 
Role-based access control can be given at the management group level, subscription level, resource group level, or at the resource level.
 
RBAC has three basic roles that apply to all resource types:
  • Owner
    This role has full access to all the resources and can delegate access to others.
     
  • Contributor
    This role can create and manage all types of resources, but can’t grant access to other users and groups.
     
  • Reader
    This role can view existing Azure resources.

Assigning Azure AD Roles

 
Go to Azure Active Directory, and go to the Users section => click on a user for whom you want to add an AD Role. Now we can Assign roles for the user => Click on Assigned Role => + Add assignments.
 
Difference Between Azure AD Roles And Role Based Access Control (RBAC)
 
Now you will see a list of available Azure AD roles. You can select any role and click on the Add button.
 
Difference Between Azure AD Roles And Role Based Access Control (RBAC)
 
You will then see the role assigned to the user.
 
Difference Between Azure AD Roles And Role Based Access Control (RBAC)
 

Assigning Role-Based Access Control

 
As we know, RBAC is used to give access to resources in Azure. Let's say you want to give RBAC access to a user for Resource Group.
 
Go to go Resource Group and click on the Access Control (IAM) option
 
Difference Between Azure AD Roles And Role Based Access Control (RBAC)
 
Now click on the Add role assignment. In the next screen, you have to choose the Role to assign, and the principal to assign it to.
 
First, you can choose a Role, then choose access assign to, the last search for the user, and select. Once the user is selected, click on Save.
 
Difference Between Azure AD Roles And Role Based Access Control (RBAC)
 
If you now go to the Role assignments tab, you will now see the role assigned to the user as a contributor.
 
Difference Between Azure AD Roles And Role Based Access Control (RBAC)
 

Summary

 
Azure AD roles are used to manage access to Azure AD resources, whereas Azure roles are used to manage access to Azure resources.
 
The scope of Azure AD roles is at the tenant level, whereas the scope of Azure roles can be specified at multiple levels including management group, subscription, resource group, resource.
 
I hope you found this information useful!