What is RBAC Baseline in Azure Landing Zone?

 What is RBAC Baseline in Azure Landing Zone?

  • In simple terms, an RBAC baseline is the default set of access roles and assignments that you apply across your Azure environment to ensure least privilege and role separation from day one.
  • It’s not “every possible role” → it’s a starting point (baseline) that enforces good access hygiene for the Landing Zone.
  • It defines who can do what, where, and at which scope (Management Group, Subscription, Resource Group).

 

RBAC Baseline Structure (CAF-aligned)

The baseline is typically built around role separation at 3 levels:

1. Platform Roles (manage the Landing Zone itself)

  • Platform Owner → Full control over the platform layer (network hub, security, identity integration).
  • Platform Contributor → Deploy/manage infra, but no rights to IAM.
  • Platform Reader → Audit and monitor only.

2. Workload/Application Roles (for business apps in spokes)

  • App Owner → Control over app resources in their own RG/spoke only.
  • App Contributor → Can deploy/manage, but no IAM rights.
  • App Reader → Read-only access for troubleshooting/monitoring.

3. Security & Governance Roles

  • Security Reader → Read security configurations across all scopes.
  • Security Operator → Can manage security configurations (e.g., Defender settings).
  • Policy Contributor → Can assign/update Azure Policies.
  • Billing Reader / Cost Management Contributor → For finance/cost teams.

 

 

Scope

Role

Who gets it

Tenant Root MG

Global Administrator (Entra ID)

Central IT only

Management Groups

Owner/Contributor (limited)

Platform team

Subscriptions (Platform)

Owner

Cloud Platform Team

Subscriptions (Workload)

Contributor

App Teams

Resource Groups

Owner/Contributor

App Owners/Developers (only in their RG)

All scopes

Reader

Security/Compliance team for visibility

Cost Management

Billing Reader / Cost Management Contributor

Finance/Procurement

 

 

Guiding Principles to Follow

  1. Least Privilege → Nobody gets more rights than they need (no “Owner” for developers).
  2. Role Separation → Platform vs App vs Security teams must be separated.
  3. Scoped Access → Assign roles at smallest scope possible (RG > Subscription > MG).
  4. Break-Glass Accounts → Keep 1–2 emergency Owner accounts at tenant root, protected with MFA/PIM.
  5. Use PIM (Privileged Identity Management) → For all elevated roles (Owner, Contributor).
  6. Standardize Assignments → Enforce via Azure Policy (e.g., deny assignments outside of MG/Subscription).
  7. Use Groups not Users → Assign RBAC to Entra ID groups (Cloud-Platform-Admins, App-Team1-Contributors, etc.), not directly to users.

 

Example: RBAC Baseline in a Landing Zone

  • Platform Subscription:
    • Platform-Admins → Owner
    • Platform-Ops → Contributor
    • Security-Ops → Security Reader
  • Workload Subscription (e.g., HR App):
    • HR-App-Team → Contributor (only in HR RG)
    • Security-Team → Reader (all RGs)
    • Finance-Team → Cost Management Reader

 

Conclusion:
An RBAC Baseline ensures secure, governed, and segregated access in your Landing Zone from day one. It avoids the “everyone is Owner everywhere” chaos, and lays the foundation for policy-based governance and PIM enforcement.

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

What is RBAC Baseline in Azure Landing Zone?

  What is RBAC Baseline in Azure Landing Zone? In simple terms, an RBAC baseline is the default set of access roles and assignments...

  • Terraform - random_id
    This is a great resource type which you can utilize for the resources names which require unique name or strings for .e.g Storage account o...
  • Azure VM Disk Caching
    Azure VM Disk types : there are 3 types of disk used with Azure VM's OS Disk - azure automatically attaches a vhd for the OS when...
  • Create VM option is Grayed out - Azure Disk
    Well this was fun , We could easily create VM from Portal if we have disk already & i have done it so many times until i encounter this...