Azure Governance & RBAC — Cheat Sheet

IntermediateCheat Sheet12 min7 min read20 Jan 2025Azure

Must-know CLI and PowerShell for Azure RBAC role assignments, custom roles, Azure Policy, management groups, resource locks, and subscription management.

Prerequisites

managing-subscriptions

#azure #rbac #policy #subscriptions #management-groups #az-104 #governance

RBAC Role Assignments

# List role assignments on a resource group
az role assignment list \
  --resource-group myRG \
  --output table

# List role assignments for a user
az role assignment list \
  --assignee user@example.com \
  --all --output table

# Assign a built-in role to user on RG scope
az role assignment create \
  --assignee user@example.com \
  --role "Contributor" \
  --resource-group myRG

# Assign role at subscription scope
az role assignment create \
  --assignee user@example.com \
  --role "Reader" \
  --scope "/subscriptions/<sub-id>"

# Assign role at resource scope
az role assignment create \
  --assignee user@example.com \
  --role "Storage Blob Data Contributor" \
  --scope $(az storage account show -n mystorageacct -g myRG --query id -o tsv)

# Assign role to a service principal
az role assignment create \
  --assignee <service-principal-object-id> \
  --role "Contributor" \
  --resource-group myRG

# Assign role to a managed identity
az role assignment create \
  --assignee <managed-identity-principal-id> \
  --role "AcrPull" \
  --scope $(az acr show -n myregistry --query id -o tsv)

# Remove role assignment
az role assignment delete \
  --assignee user@example.com \
  --role "Contributor" \
  --resource-group myRG

Get-AzRoleAssignment -ResourceGroupName "myRG"
New-AzRoleAssignment -SignInName "user@example.com" -RoleDefinitionName "Contributor" -ResourceGroupName "myRG"
Remove-AzRoleAssignment -SignInName "user@example.com" -RoleDefinitionName "Contributor" -ResourceGroupName "myRG"

Built-in Roles (Key Ones)

Role	Permissions
Owner	Full access including role assignment management
Contributor	Create/manage all resources; cannot assign roles
Reader	View all resources; no changes
User Access Administrator	Manage user access; cannot modify resources
Storage Blob Data Owner	Full access to blob data (RBAC + ACL)
Storage Blob Data Contributor	Read/write/delete blobs
Storage Blob Data Reader	Read/list blobs
AcrPull	Pull images from ACR
AcrPush	Push and pull images
Virtual Machine Contributor	Manage VMs; no VNet/storage access
Network Contributor	Manage networking resources
Key Vault Secrets Officer	Read/write secrets; not keys/certs
Managed Identity Operator	Assign managed identities to resources

Custom Roles

# List role definitions
az role definition list --output table
az role definition list --custom-role-only --output table

# Show a built-in role (to use as template)
az role definition list --name "Contributor" --output json

# Create custom role from JSON
az role definition create --role-definition @custom-role.json

{
  "Name": "VM Operator",
  "Description": "Can start, stop, and restart VMs",
  "Actions": [
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/powerOff/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Compute/virtualMachines/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/<sub-id>"
  ]
}

# Update custom role
az role definition update --role-definition @updated-role.json

# Delete custom role
az role definition delete --name "VM Operator"

Azure Policy

# List all policy definitions
az policy definition list --output table

# List built-in policies
az policy definition list --query "[?policyType=='BuiltIn'].{Name:displayName, ID:name}" -o table | head -20

# Show a specific policy
az policy definition show --name "Require a tag on resources"

# Assign a built-in policy (require tag)
az policy assignment create \
  --name "require-env-tag" \
  --display-name "Require environment tag" \
  --policy "1e30110a-5ceb-460c-a204-c1c3969c6d62" \
  --scope "/subscriptions/<sub-id>/resourceGroups/myRG" \
  --params '{"tagName": {"value": "environment"}}'

# Assign with enforcement mode disabled (audit only)
az policy assignment create \
  --name "audit-env-tag" \
  --policy "1e30110a-5ceb-460c-a204-c1c3969c6d62" \
  --scope "/subscriptions/<sub-id>" \
  --enforcement-mode DoNotEnforce

# List assignments in a scope
az policy assignment list \
  --scope "/subscriptions/<sub-id>" \
  --output table

# Delete assignment
az policy assignment delete \
  --name "require-env-tag" \
  --scope "/subscriptions/<sub-id>/resourceGroups/myRG"

# Create policy initiative (policy set)
az policy set-definition create \
  --name "my-initiative" \
  --display-name "My Compliance Initiative" \
  --definitions @initiative-definitions.json

# Trigger compliance evaluation
az policy state trigger-scan \
  --resource-group myRG

# Check compliance state
az policy state list \
  --resource-group myRG \
  --filter "complianceState eq 'NonCompliant'" \
  --output table

Resource Locks

# Create a read-only lock on a resource group
az lock create \
  --name "ReadOnlyLock" \
  --resource-group myRG \
  --lock-type ReadOnly \
  --notes "Prevents changes to production"

# Create a delete lock on a resource group
az lock create \
  --name "DeleteLock" \
  --resource-group myRG \
  --lock-type CanNotDelete

# Create lock on specific resource
az lock create \
  --name "ProdVNetLock" \
  --resource-group myRG \
  --resource-type Microsoft.Network/virtualNetworks \
  --resource myVNet \
  --lock-type CanNotDelete

# List locks
az lock list --resource-group myRG --output table
az lock list --output table    # all locks in subscription

# Delete lock
az lock delete \
  --name "DeleteLock" \
  --resource-group myRG

New-AzResourceLock -LockName "DeleteLock" -LockLevel CanNotDelete -ResourceGroupName "myRG"
Get-AzResourceLock -ResourceGroupName "myRG"
Remove-AzResourceLock -LockName "DeleteLock" -ResourceGroupName "myRG"

Management Groups

# Create management group
az account management-group create \
  --name "myMG" \
  --display-name "Production Workloads"

# Create as child of another MG
az account management-group create \
  --name "myChildMG" \
  --parent "myMG"

# List management groups
az account management-group list --output table

# Show hierarchy
az account management-group show --name "myMG" --expand --recurse

# Move subscription into management group
az account management-group subscription add \
  --name "myMG" \
  --subscription "<subscription-id>"

# Remove subscription from MG
az account management-group subscription remove \
  --name "myMG" \
  --subscription "<subscription-id>"

Subscriptions

# List subscriptions
az account list --output table

# Show current subscription
az account show

# Get subscription ID
az account show --query id -o tsv

# Rename subscription
az account subscription rename \
  --id "<subscription-id>" \
  --name "New Subscription Name"

# Create a resource group in a different subscription
az group create \
  --name myRG \
  --location eastus \
  --subscription "<subscription-id>"

Cost Management

# Show usage details for current month (requires billing reader role)
az consumption usage list \
  --billing-period-name 202401 \
  --output table

# Get budget list
az monitor budget list --output table

# Create a budget alert at $500
az monitor budget create \
  --budget-name "MonthlyBudget" \
  --amount 500 \
  --category Cost \
  --time-grain Monthly \
  --start-date 2025-01-01 \
  --end-date 2025-12-31 \
  --resource-group myRG

Service Principals

# Create a service principal (creates app registration + SP)
az ad sp create-for-rbac \
  --name "my-sp" \
  --role Contributor \
  --scopes /subscriptions/<sub-id>/resourceGroups/myRG

# Output includes appId, password, tenant — save the password! It won't be shown again

# List service principals
az ad sp list --filter "displayName eq 'my-sp'" --output table

# Get SP object ID
az ad sp show --id <app-id> --query id -o tsv

# Reset credentials
az ad sp credential reset --id <app-id>

# Delete SP and app registration
az ad sp delete --id <app-id>

Key Facts for AZ-104

Concept	Detail
RBAC scope inheritance	MG → Subscription → RG → Resource
Deny assignments	Deny takes precedence over allow; can't create manually
ReadOnly lock	Blocks writes and deletes; allows reads
CanNotDelete lock	Allows modify; blocks delete
Lock inheritance	Child resources inherit parent locks
Policy effect	Deny, Audit, Append, Modify, DeployIfNotExists
Initiative	Group of policies deployed together
Management group	Apply policies/RBAC across multiple subscriptions
Root MG	Tenant root group; all subscriptions are descendants
Scope order	Role assigned at higher scope applies to lower scopes

More in Microsoft Azure

AZ-104 Hands-on Lab Guide

5 hours

AZ-305: Azure Solutions Architect Expert — Study Guide

10-12 weeks

AZ-400: Azure DevOps Engineer Expert — Study Guide

8-10 weeks

Back to Microsoft Azure