Identity and Access¶
Azure Role-Based Access Control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
RBAC Roles¶
| Role | Permissions | Scope |
|---|---|---|
| Owner | Full access to all resources and management. | Subscription, Resource Group, Resource |
| Contributor | Can create/manage all resource types but not grant access. | Subscription, Resource Group, Resource |
| VM Contributor | Can manage VM resources, but not virtual networks or storage accounts outside VM resource scope. | Subscription, Resource Group, Resource |
| Reader | Can view existing resources but not modify. | Subscription, Resource Group, Resource |
Managed Identity and Key Vault¶
Managed identities provide an identity for applications to use when connecting to resources that support Microsoft Entra authentication.
graph TD
VM[Virtual Machine] --> MI[Managed Identity]
MI --> AKV[Azure Key Vault]
AKV --> Sec[Secrets/Certs]
Sec --> VMTip
Use System-assigned managed identity for single-resource identity and User-assigned managed identity when multiple resources need the same identity.
Warning
Just-In-Time (JIT) VM access reduces exposure to brute force attacks by providing controlled access only when needed.
Note
RDP/SSH access does not require a public IP. Use Azure Bastion (recommended), VPN/ExpressRoute, or private IP connectivity from a connected network.