With RBAC, you can manage who has access to the different Azure resources inside of your tenant. You can also set what the users can do with different Azure resources.

It's good practice to assign permissions using the principle of least permissions; this involves giving users the exact permissions they need to do their jobs properly. Users, groups, and applications are added to roles in Azure, and those roles have certain permissions. You can use the built-in roles that Azure offers, or you can create custom roles in RBAC.

The roles in Azure can be added to a certain scope. This scope can be an Azure subscription, an Azure resource group, or a web application. Azure then uses access inheritance; that is, roles that are added to a parent resource give access to child resources automatically. For instance, a group that is added to an Azure subscription gets access to all the resource groups and underlying resources that are in that subscription as well. A user that is added to a virtual machine (VM) only gets access to that particular VM.

Let's start by looking at built-in roles.