9 lines
671 B
Plaintext
9 lines
671 B
Plaintext
Azure RBAC roles can be assigned to users, groups, or service principals. A role assignment grants permissions on a predefined set of resources called "scope".
|
|
|
|
The widest scopes a role can be assigned to are:
|
|
|
|
* Subscription: a role assigned with this scope grants access to all resources of this Subscription.
|
|
* Management Group: a scope assigned with this scope grants access to all resources of all the Subscriptions in this Management Group.
|
|
|
|
In case of security incidents involving a compromised identity (user, group, or service principal), limiting its role assignment to the narrowest scope possible helps separate duties and limits what resources are at risk.
|