30.04.2024 ยท dadevel

Microsofts cloud offering can be split into three main parts: The cloud provider Azure, the productivity suite M365 and the identity provider Entra.

Azure Resource Manager (ARM) at provides a central API for Azure and performs authorization based on role assignments (Azure RBAC).

Management scopes:

  root management group
    nested management groups
        resource groups

Every subscription is assigned to exactly one tenant, but one tenant can have multiple subscriptions.

Overview of the default RBAC roles:

Role Permissions
Owner full access to resources, manage access for other users
User Access Administrator view resources, manage access for other users
Contributor full access to resources
Reader view resources


  • Entra user
  • Entra group
  • Entra service principal
  • user-assigned managed identity
  • system-assigned managed identity

Role assignment: principal has role on scope.

For more info about individual resources check Azure Escalation.