How to Configure User Roles in Azure AD




A User Role is basically a permission for individual users to perform specific tasks. In general, the roles come with a predefined set of permissions, which dictate their capabilities, area of function as well as their access.

In the general sphere, each individual with any amount of influence over a website is assigned a role, which can vary according to the specific set of permissions that come with the role.

In the Microsoft Azure sphere, the Role Based Access Control (RBAC) feature assists with role assignment, providing specific access management. The feature itself contains several improvements over its counterparts, including seamless management, secure access and a wide array of very specific, as well as custom roles.

Azure RBAC Roles Overview

In the wider Azure environment, there are 3 essential roles. These roles apply to all of the resource types. While they refer to access management on a very general scale, this overview will help you understand better about how roles work in Azure, before we move on to assigning roles in Azure AD.

The three basic roles are as follows:

  • Owner: The owner enjoys full access to all the resources, and can also delegate aces to other members.
  • Contributor: The contributor can manage and create all kinds of Azure resources. However, unlike the owner, they cannot provide access to other parties.
  • Reader: The reader has very limited capabilities, in that they can only view existing resources in Azure.

There are other, more particular roles in Azure as well. They are usually responsible for the management of more distinct and set resources, which are not accessible by other roles, save for the Owner and Contributor.

Configuring Roles in Azure Active Directory

The Azure AD sphere features one very distinct role; namely the Administrator. Here, we will take a look at how you can assign the administrative role to any user in the Azure Active Directory.

Please note that the administrator role can be assigned to an existing user, therefore, you will first need to add a new user to the Azure AD, before assigning the administrator role.

Let’s start with the role configuration process:

To begin, sign in to the Admin Center in Azure AD. This has to be done with an account that’s classified as global admin, for the directory. On the subsequent page, select the Users and Groups option.

After that, click on All Users. A list of existing users will open up, from which you can select one user (Once again, there has to be an existing user, or several, in order for this step to be completed).

Whichever user you have selected, you can now assign the role. In the subsequent page, click on Directory role. A list will open up with all the possible roles that can be assigned.

Simply click on the role you want to assign to the user, and click on Save.

As you can see in the screen grab above, each of the roles has a particular function associated with it, that is mostly self-explanatory.

It is interesting to note that a number of the roles seen here are unique to Azure AD and Azure in general. This is because of the specific nature of Azure as a cloud services platform, as well as several features and functionalities unique to Azure.

Adding Users to a Role

In addition to assigning roles to users, you can also add users to a particular role. This is done through the Privileged Identity Management feature in Azure AD. Let’s take a look at how you can add more users to any defined role.

Inside the Azure portal, click on the tile labeled Azure AD Privileged Identity Management tile. Then, click on Manage privileged roles. The Role summary table will open, in which you can select the role that you want to assign more users to. In the role section, click on Add. Then, click on In the search results list, select the user, and Done.

Finally, click on Ok to save the selection. The user you selected will be seen in the list as suitable for the role. Once the selected user is eligible for a role, they can then activate their capability and gain access to all the privileges that come with the role.

Creating and managing roles is an integral aspect of the Microsoft Azure Mastery course at Quickstart. Take a look at the course to find out more about the program.

About The Author
Dennis
Enterprise Account Manager at QuickStart

Dennis Tello

Dennis is a passionate individual with eight years of experience in the industry. He loves working with organizations large and small, helping them train their technology teams. He specializes in DevOps training and has helped a number of organizations turn their IT teams into game-changers.