Tag Archives: Resource Group

#Azure – Resource groups, Access control (IAM)

Resource groups in Microsoft Azure is a logical container and help customers to manage multiple resources in constructive manner. When you deploy multiple resources in a logical container then it is necessary to consider the security measures as well. Resource groups provide an option to manage the access control through Access control (IAM).

It offers multiple pre-defined RBAC (role based access control) roles. When you create a new subscription first time in Microsoft Azure, by default azure creates and associates it with an automatically created azure active directory. For example if I create my subscription with email address xyz@hotmail.com then an azure active directory with xyzhotmail will be created in the background. Going forward you can add multiple subscriptions into it.

However, once you are logged in to the Microsoft Azure then you can switch between the directories if you have multiple. But keep a note in your mind that one subscription belongs to only one directory in azure while one directory can belongs to multiple subscription.

RBAC roles can be assigned to the users and groups that are part of the associated azure active directory. Groups can be created in azure active directory while users either can be created in azure active directory or can be associated with their public email addresses.

Here is the list and their one line descriptions provided by Microsoft Azure.

Role name


API Management Service Contributor

Can manage API Management service and the APIs

API Management Service Operator Role

Can manage API Management service, but not the APIs themselves

API Management Service Reader Role

Read-only access to API Management service and APIs

Application Insights Component Contributor

Can manage Application Insights components

Automation Operator

Able to start, stop, suspend, and resume jobs

Backup Contributor

Can manage backup in Recovery Services vault

Backup Operator

Can manage backup except removing backup, in Recovery Services vault

Backup Reader

Can view all backup management services

Billing Reader

Can view all billing information

BizTalk Contributor

Can manage BizTalk services

ClearDB MySQL DB Contributor

Can manage ClearDB MySQL databases


Can manage everything except access.

Data Factory Contributor

Can create and manage data factories, and child resources within them.

DevTest Labs User

Can view everything and connect, start, restart, and shutdown virtual machines

DNS Zone Contributor

Can manage DNS zones and records

Azure Cosmos DB Account Contributor

Can manage Azure Cosmos DB accounts

Intelligent Systems Account Contributor

Can manage Intelligent Systems accounts

Logic App Contributor

Can manage all aspects of a Logic App, but not create a new one.

Logic App Operator

Can start and stop workflows defined within a Logic App.

Monitoring Reader

Can read all monitoring data

Monitoring Contributor

Can read monitoring data and edit monitoring settings

Network Contributor

Can manage all network resources

New Relic APM Account Contributor

Can manage New Relic Application Performance Management accounts and applications


Can manage everything, including access


Can view everything, but can’t make changes

Redis Cache Contributor

Can manage Redis caches

Scheduler Job Collections Contributor

Can manage scheduler job collections

Search Service Contributor

Can manage search services

Security Manager

Can manage security components, security policies, and virtual machines

Site Recovery Contributor

Can manage Site Recovery in Recovery Services vault

Site Recovery Operator

Can manage failover and failback operations Site Recovery in Recovery Services vault

Site Recovery Reader

Can view all Site Recovery management operations

SQL DB Contributor

Can manage SQL databases, but not their security-related policies

SQL Security Manager

Can manage the security-related policies of SQL servers and databases

SQL Server Contributor

Can manage SQL servers and databases, but not their security-related policies

Classic Storage Account Contributor

Can manage classic storage accounts

Storage Account Contributor

Can manage storage accounts

Support Request Contributor

Can create and manage support requests

User Access Administrator

Can manage user access to Azure resources

Classic Virtual Machine Contributor

Can manage classic virtual machines, but not the virtual network or storage account to which they are connected

Virtual Machine Contributor

Can manage virtual machines, but not the virtual network or storage account to which they are connected

Classic Network Contributor

Can manage classic virtual networks and reserved IPs

Web Plan Contributor

Can manage web plans

Website Contributor

Can manage websites, but not the web plans to which they are connected

Source: Microsoft

Now, you should know how the permission works here. There are three basic RBAC roles that apply to all resource types.

Owner: As suggested by name itself, full access to all the resources and has rights to manage the delegation for others.

Contributor: who can read, write/create and manage but can’t delegate rights to others.

Reader: who can view existing resources but can’t make any changes.

Now, let’s look at the inheritance of the resources. Same as other Microsoft technologies, permission inheritance works in a downwards manner here.

It means Subscription à Resource groups à Resources.

If pre-defined RBAC roles do not fulfill your requirement then you can create your own custom roles through Azure PowerShell, Azure CLI and the Rest API.

#Azure – Resource Group

Microsoft Azure is one of the leading cloud platform and growing continuously. This post will cover the resource group concept, which is integral part of any resource in Azure IaaS. Microsoft Azure platform has been spread across multiple geographical locations and once you create any resource in MS Azure IaaS, basically it belongs to a particular region that you had selected at the time of deployment.

In layman’s language, resource group is nothing but it is just like a logical container that makes your life easier after deployment of multiple resources. Let’s take an example of virtual machine. When you create a virtual machine, you can observe that it is a combination of multiple resources such as compute, storage, networking etc. In case of traditional datacenter you can touch and feel these items but in case of virtual machine you can presume that your cpu cores and memory is your compute, virtual hard disks are your storage and virtual networks are your networking components. As you know each resource in a virtual machine gives complement to another resource and for us it is advisable to keep all of them in a single pool for better interaction. Once you create these resources such as storage account or virtual network, you specify a resource group and location. If you have an existing resource group then the location will be selected by default as per the resource group.

Now, let’s discuss the same thing in technical language. A resource groups allows you to create and manage multiple resources in a single container so that you can manage them easily by grouping them together. A resource group facilitates that all the resources in a resource group belongs to same region, where the resource group was located but you can still change the resource location if you want. This feature make sure that multiple resources are located nearby to each other to provide better performance. With the help of resource group, you can easily deploy, update, and delete multiple resources within the resource group by a single or few clicks. Resource group provides you an ability to secure your resources by configuring user and administrator roles through “Access control (IAM)”. There are many other cool features such as policies, monitoring etc. that you can explore by playing with it.

Therefore now let’s see how to create a resource group.

Go to the https://portal.azure.com and click on “Resource groups”.

Click on “Add” to create a new resource group.

Fill the required information such as “Resource group name”, select “Subscription” and select “Resource group location”.

Once resource group has been created, you can see multiple options such as “Access control”, “Resource costs”, “Policies” etc.

To understand better, you can take an example of cluster/pool. Multiple components such as VMs, storage pools and virtual networks make a single cluster/pool and if you need to manage these multiple components, it is better always to keep them in a single place called resource group so that you can have a single view from the application point of view such as cluster manger and from the baseline infrastructure point of view as well that is resource group. Now, you should start playing with it to learn more about each option given under resource group.