👨‍🦱 💬 Role (role definition) is a collection of actions that the assigned identity will be able to perform on Azure resources.

👨‍🦱 💬 Role definition is an answer to the question “What can be done?”

👨‍🦱 💬 A Scope is one or more Azure resources that the access applies to.

👨‍🦱 💬 Security Principal is an Azure object (identity) that can be assigned to a role (ex. users, groups or application/service objects like service principals, or managed identities).

👨‍🦱 💬 Role assignment is a combination of the role definition, security principal, and scope.

👨‍🦱 💬 Scope assignment is an answer to the question “Where can it be done?”

👨‍🦱 💬 Security Principal assignment is an answer to the question “Who can do it?”

👨‍🦱 💬 Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.

👨‍🦱 💬 A Scope can be applied to any Azure Resource Manager (ARM) governed object. So it includes management groups, subscriptions, resource groups, and individual resources.

👨‍🦱 💬 C > B > A > E > D is the proper order. You need to navigate to a resource for which you want to assign permissions and open access control blade (this will be your scope). Then you need to select add role assignment button and select user/group and/or application and a role definition. And finish by clicking on the save button.

👨‍🦱 💬 In order to view all resources on Azure subscription, Jessica will need a reader role applied to the scope of the entire subscription AZ-SUB-01. In order to allow full access to Jessica on a specific resource group, she needs to be granted another role, in this case, owner role to allow her full access on the AZ-ADMIN-RG resource group

👨‍🦱 💬 A Website Contributor role is much less privileged than an Owner as it’s only targeting Azure Websites. So this role should be our priority. The Creation of Azure AD group will reduce maintenance and role assignment effort by having to do it only once for entire group. Applying the role to a specific Azure App Service ensures that the developers have access only to the target app service. If applied on resource group level developers would have access to other app services in that group too.