Azure AD Roles vs Azure RBAC Roles

Inside Microsoft Azure environment, we see two kind of permission granting mechanism – Azure roles and Azure AD roles. They play their own role as per your requirement as M365 administrator OR as as a Azure Tenant Administrator. We will try to see few key differences between both onto the below table.

Azure AD RolesAzure RBAC Roles
Azure Active Directory has its own, unique set of roles, specific to identity management.Azure RBAC roles are used to control permissions for managing Azure resources, while Azure AD administrator roles control permissions to manage Azure Active Directory resources
Azure AD Administrator roles are used to manage Azure AD resources in a directory.RBAC roles are used to manage access to Azure resources like VMs and storage accounts.
Global Administrator is the highest level permission that also assigns admin roles to other users, and resets passwords for users and all other administrators. Here are the major roles.
Global administrator – the highest level of access, including the ability to grant administrator access to other users and to reset other administrator’s passwords.
User administrator – can create and manage users and groups, and can reset passwords for users, Helpdesk administrators and User administrators.
Helpdesk administrator – can change the password for users who don’t have an administrator role and they can invalidate refresh tokens, which forces users to sign back in again.
Billing Administrator – can make purchases and manage subscriptions.
 
Azure RBAC roles can be specified at multiple levels, including management groups, subscriptions, resource groups, and even resources. Here major roles include
Owner – Full rights to change the resource and to change the access control to grant permissions to other users.
Contributor – Full rights to change the resource, but not able to change the access control.
Reader – Read-only access to the resource
User Access Administrator – No access to the resource except the ability to change the access control.
Azure roles and Azure AD roles assigned to various Azure Component
Generic Hierarchy for applying Azure RBAC roles
This entry was posted in Azure. Bookmark the permalink.

Leave a Reply

Your email address will not be published.