Sep 25, 2022 Azure Active Directory

Access Control on Azure?

Hello guys! Long time, right?

The past couple of weeks were a mess around here and I couldn’t give the blog the necessary attention, in fact, it was due for a good reason! I did the AZ-305 test; it was a good challenge, and the next post will be dedicated to this subject!

But now, I want to discuss with you one of my favourite topics when the subject is Azure! Let’s talk about access control!

Nowadays the word that people are spreading around the world is Security, and your virtual environment should be protected like fort Knox! Why not, right?

How do you control the access of your employees on Azure? What about your partners? Do they have enough access to do their job? Or are they OWNERS of your subscription?

I’ve been working with Azure for while and I can tell you that sometimes people neglect it and give the OWNER privileged to everyone and the price of it, sometimes can be very high.

What if an employee in rage deletes your critical resources? A security breach? Well, I can expend hours and hours speaking about it. But, let’s discuss how to mitigate this possible breach by using some features on Azure.

Well, the first thing we’ll talk about is Role Based Access Control (RBAC). But, what is this? 

RBAC is an authorization system built on Azure that provides fine-grained access management to Azure Resources and with it, we can:


  • Allow users strict access to Resources.
  • Allow apps to interact with Azure Resources.
  • Allow a DBA to manage SQL databases in a subscription.


We use the RBAC by assigning the Azure Built-Roles or Custom Roles to the users/groups.

What are the Azure Built-In Roles?

The built-in Roles are provided by Microsoft on your tenant and each of them has a specific proposal like the examples below:

You can take a better look at the built-in roles by checking the official document from Microsoft.

What Are the Azure Custom Roles?

Well, if none of the built-in roles fits your need? What if you want to be even more strict with access to your environment? A good approach for me is by deploying custom roles!

For example, I want a user to be able to:

  • Start and Stop VM’s.

To do this, we can create a role with the specific actions to do it!

You can learn more about custom roles by checking the official document.

Now that we got an understanding of RBAC, I want to introduce you the Azure Privileged Identity Management (aka PIM)

What is PIM?

It is a service in Azure AD that enables you to manage, control and monitor access to your resources on your tenant/subscriptions. It includes the AD Roles, Azure Resources, Microsoft 365 or Intune.

By using PIM we can create a control access policy on your environment and provide Just-In-Time access to your resources and services. PIM requires an Azure AD P2 License for the users that will gain access through it. You can learn more about the license model by checking this article from Microsoft.

What can I do with PIM:

  • Provide just-in-time access to Azure AD and Azure Resources.
  • Define the maximum time that a user can have the privileged.
  • Require approval to activate the roles.
  • Conduct automatic access reviews.
  • Audit the access history.

You can learn more about PIM by checking this article.

What if you’re a consultant and have to manage several subscriptions across multiple tenants? Should you use guest users? Well, it can be hard to maintain if you have a huge team.

Thinking about this scenario, Microsoft developed the Azure Lighthouse. Where you can bring the subscription management to your own tenant and take advantage of the Built-In roles of Azure AD (Unfortunately, we cannot use custom roles on Lighthouse)

You can even combine the Azure Lighthouse with the PIM on your tenant, to grant that users will only access those Azure resources when needed.

You can learn more about Azure Lighthouse by checking this article.


Microsoft Learning:



Azure Lighthouse:

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.