There are the objects composing the ARM security model in Azure:

Azure Active Directory tenant contains:

  • Users
  • Groups
  • Applications.

Each are AD objects that can be part of a role assignment.

An Azure account contains subscriptions. Subscriptions contain Resource groups. Resource groups contain Resources. Each of these (Subcriptions, resource groups and resources) are scopes that can be part of a role assignment, and can be locked.

Resources are of a certain resource type (e.g. API management, webapps, Vnet, etc.).

  • Types have operations (e.g. create web app, delete api management instance, edit vnet properties, read vm configuration, etc.).
  • Operations can be aggregated into roles (e.g. API management contributor).

Roles assignments are assigning

  • 1 role
  • to 1 AD object
  • to 1 scope.

E.g., “API management contributor” to “Futurax Admins” on Resource group “Futurax-Smartphone-App-Dev”.

Role assignments are inherited from one scope to its sub-scopes, e.g.: if you get a contributor permission at a resource group level, you also get it for all resources in that resource group. Inherited role assignments can be removed. E.g.: if you have contributor permission at a resource group level, someone can remove your contributor access to a resource contained in this resource group.

Any scope can be locked. Locks can override update or delete permissions on a given scope. There are two types of locks:

  • Delete - no-one can delete the resource if there’s a lock, even if that user has delete permissions
  • Read-only - no-one can delete or update the resource if there’s a lock, even if user has appropriate permissions.

Locks can be added or removed by any users with respective permissions Microsoft.Authorization/locks/write an Microsoft.Authorization/locks/delete on a corresponding scope.