Azure Identity and Access Management

Identity and Access Management (IAM) is all about managing ‘who can do what‘ on which resources in Azure.

For Example, If you are a employee of the company and you have access to all the resources then it will be not good for the company by security point of view. Each and every employee of the company has limited access according to their roles and responsibility.

Similarly, IAM allows Identity Management in Azure. Roles, Permission and Access Management are very important from security point of view.

There are three types of component comes under IAM. Let’s look at them one-by-one.

Azure Active Directory

Azure Active Directory (Image Source: Microsoft)

This is the top level of Identity management in Azure. Active Directory (AD) is always associated with tenant (organization). It is one per organization. It is easy to know ‘who’ identity in Azure because of AD. Only the users in the active directory have permission to access Azure Resources or Applications or any Program.

AD verifies identity of user who is trying to access Azure account. Identity is equal to Security Principle.

Security Principle means End users, Applications, Programs etc. as a group.

Azure Role-Based Access Control (Azure RBAC)

Azure RBAC (Image Source: Microsoft)

In the Azure AD we have learned that it is all about ‘who’ access. But what about ‘What you are allowed to do in Azure?’. Azure Role-Bases Access Control comes into picture here. RBAC assigns Roles to a Security Principle.

Roles are collection of specific permissions like Creating VMs, Deleting VMs etc and roles can be Owner, Contributor, Reader etc.

You can read more about Azure RBAC and Roles.

Azure Scope

Azure Scope Levels (Image Source: Microsoft)

In scope identity you allow only specific set of resources to access.

Active directory is all about ‘Who?’ RBAC is all about ‘What you are allowed to do?’ Azure Scope is all about ‘On which Resources?’

In Scope, Role is granted to various layers of Resources hierarchy.

Lower level inherits Roles from higher level.

Let’s conclude all the above components with an example:

Let’s say tenant or organization is Tutorial Funda.

[email protected] = who (AD)


Role Owner = What you are allowed to do (RBAC)


Subscription and Resource Group = On which Resources (Scope)

Suraj has owner role in tenant Tutorial Funda. He may have ownership for multiple or one subscription. So he can access and manage all the resources under that subscription.

So, these are the Components of Identity and Access management Control.