Before Lab 1.1 — Identity and RBAC Primer

Mitch Mommers18/05/2026About 2 min

In this first lab, you will inspect an Azure environment and look for excessive access.

Before you start, you only need three concepts:

identity
role
scope

Identity

An identity is something that can receive access.

That identity can be a person, but it can also be an application, script, pipeline or cloud service.

Identity type	Example
Human identity	A developer or student account
Group	A team or role-based group
Service principal	An application identity used by automation
Managed identity	An Azure-managed identity attached to a resource

A backend application can have its own identity.

This allows the application to access Azure resources without storing usernames or passwords in code.

A managed identity is an identity managed by Azure and attached to an Azure resource.

For example:

Backend App Service
→ has a managed identity
→ uses that identity to access other Azure resources

Screenshot suggestion

Add a screenshot of the backend App Service identity page.

Suggested screenshot:

Azure Portal → App Service → Identity

Show that the system-assigned managed identity is enabled.

Try to include:

Azure RBAC uses role assignments.

A role assignment combines:

identity + role + scope

Example:

Backend managed identity
+ Contributor
+ Resource group

This means:

This backend identity receives the Contributor role at resource group scope.

Scope defines where the permission applies.

A role assigned at a higher scope applies to resources below it.

For example, a role assigned at resource group scope can affect resources inside that resource group.

During the lab, investigate:

Lab focus

In Lab 1.1, do not fix anything yet.

Your goal is to observe, document and explain.

You should be able to answer these questions before starting the lab: