Azure Identity & RBAC

Implement Role-Based Access Control and Managed Identities.

Language / Topic

Microsoft Azure

Rules

Azure Identity & RBAC · balanced balanced

- Use Managed Identities (system or user-assigned) for Azure service authentication — eliminate stored credentials.

- Apply least-privilege RBAC: assign built-in roles at the narrowest scope (resource > resource group > subscription).

- Use Managed Identities for service-to-service authentication — no secrets to rotate or leak.

- Assign built-in RBAC roles at the narrowest scope possible; prefer resource-level over resource-group-level assignments.

- Use Azure AD Conditional Access policies to enforce MFA, device compliance, and location restrictions.

- Review role assignments regularly with Azure AD Access Reviews; remove stale permissions.

- Use Privileged Identity Management (PIM) for just-in-time elevation of privileged roles.