Skill 1.2 - Manage Role-Based Access Control (RBAC)

Questions and Answers

What is RBAC?

Role-based access control

Who can RBAC access be granted to?

Users, groups, service principals, and managed identities

What is the scope of Azure RBAC?

Azure Resource Manager (ARM) deployment model

What is a role in RBAC?

Definition of allowed and/or denied actions

How is RBAC configured?

By selecting a role and associating it with a security principal

What takes precedence in RBAC when there are overlapping assignments?

Most privileged access right

What do RBAC role definitions contain?

List of permissions or declared permissions

What is the purpose of Azure AD administrative roles?

To allow or restrict admins to perform identity tasks

What is the limit of custom roles per directory?

5,000

Who can create or remove role assignments in Azure?

People with Owner or User Access Administrator built-in roles

How can custom roles be created?

From existing built-in roles, starting from scratch, or with a JSON file

What is required to create a custom role?

Write permissions on all items in a scope

How can Deny Assignments be controlled?

By applying a resource lock for resources created through Azure Blueprints

What is a Security Principal in Azure?

An identity that gets permissions

In what ways can Role Assignments be created and listed?

Portal, Azure AD PowerShell, or Microsoft Graph API

Why would someone clone a built-in role?

To make small tweaks to permissions