Skip to main content

Before Lab 1.1 — Identity and RBAC Primer

Mitch Mommers18/05/2026About 2 min

Before Lab 1.1 — Identity and RBAC Primer

In this first lab, you will inspect an Azure environment and look for excessive access.

Before you start, you only need three concepts:

identity
role
scope

Identity

An identity is something that can receive access. That identity can be a person, but it can also be an application, script, pipeline or cloud service.

Identity typeExample
Human identityA developer or student account
GroupA team or role-based group
Service principalAn application identity used by automation
Managed identityAn Azure-managed identity attached to a resource

A backend application can have its own identity. This allows the application to access Azure resources without storing usernames or passwords in code.

Managed identity

A managed identity is an identity managed by Azure and attached to an Azure resource.

For example:

Backend App Service
→ has a managed identity
→ uses that identity to access other Azure resources
Principal ID
Figuur 0: Principal ID

In the above case an Object Principal ID has been added to Entra ID that manages our user. Selecting Azure Role Assignments would show which roles this Principal ID has.

Info

We don't have access to Microsoft Entra ID if the Tenant doesn't allow it (which is true in my case).

Role assignment

Azure RBAC uses role assignments.

A role assignment combines:

identity + role + scope

Conditions

Conditions can also be set in which the role might or might not apply. This is nice for ABAC but on this more later.

Example:

Backend managed identity
+ Owner
+ Resource group

This means:

This backend identity receives the Owner role at resource group scope.

Scope

Scope defines where the permission applies.

A role assigned at a higher scope applies to resources below it.

For example, a role assigned at resource group scope can affect resources inside that resource group.

What to look for in Lab 1.1

During the lab, investigate:

  • which resources exist
  • which identity belongs to the backend application
  • which roles are assigned
  • at which scope the roles are assigned
  • whether an assignment looks broader than necessary

Lab focus

In Lab 1.1, do not fix anything yet.

Your goal is to observe, document and explain.

Check before starting

You should be able to answer these questions before starting the lab:

  1. What is a managed identity?
  2. What are the three parts of a role assignment?
  3. Why does scope matter?

Lab File

Tips

In some cases you might want to change --output table to --output json for more details.

Download Lab

Contributors: Mitch Mommers