Azure offers various built-in roles that you can use to assign permissions to users, groups, and applications. RBAC offers the following three standard roles that you can assign to each Azure resource:

• Owner: Users in this role can manage everything and create new resources.
• Contributor: Users in this role can manage everything, just like users in the owner role, but they can't assign access to others.
• Reader: Users in this role can read everything, but they are not allowed to make any changes.

Aside from the standard roles, each Azure resource also has roles that are scoped to particular resources. For instance, you can assign users, groups, or applications to the SQL security manager so that they can manage all the security-related policies of the Azure SQL Server. Alternatively, you can assign them to the VM contributor role, where they can manage the VMs, but not the VNet or storage accounts that are connected to a VM.

While these built-in roles usually cover all possible use cases, they can never account for every requirement in an organization. To allow for flexibility in role assignment, RBAC lets you make custom roles. We'll look at this feature in more detail in the next section.