Built-in roles

Azure offers various built-in roles that you can use for assigning permissions to users, groups, and applications. RBAC offers the following three standard roles that you can assign to each Azure resource:

• Owner: Users in this role can manage everything, and can create new resources.
• Contributor: Users in this role can manage everything, just like users in the owner role, but they can't assign access to others.
• Reader: Users in this role can read everything, but they are not allowed to make any changes.

Aside from the standard roles, each Azure resource also has roles that are scoped to particular resources. For instance, you can assign users, groups, or applications to the SQL security manager, from which they can manage all security-related policies of the Azure SQL Server, or you can assign them to the VM contributor role, where they can manage the VMs, but not the VNet or storage accounts that are connected to a VM.

While these built-in roles usually cover all possible use cases, they can never account for every requirement in an organization. To allow for flexibility in role assignment, RBAC provides the ability to make custom roles. Let's look at this feature.