Microsoft Releases Azure Roles Based Access Control Service

Microsoft announced the "general availability" of its Roles Based Access Control (RBAC) Azure service this week.

The service lets organizations set up access privileges to Azure resources based on the use of Microsoft's Azure Active Directory service. The overall idea is to permit groups within organizations to set up and manage their own storage accounts and virtual machines. At the same time, traditional IT controls aren't necessarily relinquished. To that end, the service comes with predefined built-in roles. However, Microsoft plans to provide a means for organizations to create their own custom roles "in the next few months," according to an Azure library article description.

The basic role privileges include "owner," "contributor" and "reader." Owners have full access to resources. Contributors have management privileges, but they can't grant others access to the resource. Readers can just view the Azure resources.

Microsoft's best-practices advice to organizations is to bestow the least privilege. They should prefer the "contributor role over the owner role," for instance. The service comes with some model configurations in the form of built-in roles, which further narrow access. Examples of built-in roles include "automation operator" or "SQL database contributor."

The RBAC service was at the preview stage for about one year before commercial release. It's been the No. 1 request of Microsoft's customers wanting to tap Azure, according to Alex Simons, director of program management at the Microsoft Identity Division.

Even though the RBAC service is commercially available today, organizations must use the Azure "management portal preview" to get access to some its finer grained controls. The current "classic management portal" (as Microsoft calls it) doesn't support those controls, according to the Azure library article. The article adds that there are a few restrictions on controlling "blobs or tables within the Storage Account" as well as "SQL tables within the DB" (database).

Additionally, carrying out some operations, such as designating access management for subnets, requires using the Azure command-line tool and PowerShell.

Organizations that currently use Active Directory on premises should connect it with Azure Active Directory when enabling group access, according to Microsoft. The idea is that access to Azure resources will automatically get changed when Active Directory accounts are modified. Deleting a user from Active Directory eliminates that person's access to Azure resources.

In addition to the RBAC service, Microsoft has a more specific Azure Active Directory Privileged Identity Management service that was introduced as a preview back in August. The Privileged Identity Management service is specifically designed for IT organizations, allowing access restrictions to be set for specific IT personnel.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • OneDrive Users To Get Storage Options, Plus New Personal Vault

    Microsoft announced a few OneDrive enhancements, including storage-option additions, plus a new "Personal Vault" feature for added security assurance.

  • Cloud Services Starting To Overtake On-Prem Database Management Systems

    Database management system (DBMS) growth is happening more on the cloud services side than on the traditional "on-premises" side, according to a report by Gartner Inc.

  • How To Replace an Aging Domain Controller

    If the hardware behind your domain controllers has become outdated, here's a step-by-step guide to performing a hardware refresh.

  • Azure Backup for SQL Server 2008 Available at Preview Stage

    Microsoft added the option of using the Azure Backup service to provide recovery support for SQL Server 2008 and SQL Server 2008 R2 when those workloads are hosted on Azure virtual machines.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.