Azure Security: RBAC, Zero Trust, and Defender
Azure security goes beyond passwords. Role-based access control, Zero Trust architecture, defence-in-depth, and Microsoft Defender for Cloud — the layers that keep your environment safe.
Security in layers
Think of a medieval castle.
A castle doesn’t rely on just one wall. It has a moat (network security), outer walls (firewalls), inner walls (access controls), locked rooms (data encryption), and guards (monitoring).
If an attacker gets past one layer, there’s another one waiting. This is defence-in-depth — multiple security layers so no single failure compromises everything.
Zero Trust takes this further: don’t trust anyone, even people inside the castle. Every person must show their ID at every door, every time. “Never trust, always verify.”
RBAC is how you decide who gets keys to which rooms. The cook can access the kitchen but not the treasury. The treasurer can access the treasury but not the armoury.
Defender for Cloud is the castle’s watchtower — constantly scanning for threats and telling you where your defences are weak.
Azure RBAC — who can do what
RBAC controls access to Azure resources using three concepts:
| Concept | What It Is | Example |
|---|---|---|
| Security principal | WHO is requesting access | User, group, service principal, managed identity |
| Role | WHAT they can do | Owner, Contributor, Reader, custom roles |
| Scope | WHERE the role applies | Management group, subscription, resource group, or resource |
Built-in roles
| Role | Permissions |
|---|---|
| Owner | Full access + can assign roles to others |
| Contributor | Full access EXCEPT assigning roles |
| Reader | View-only access — can see but not change anything |
| User Access Administrator | Manage user access to resources |
How RBAC works at Summit Construction
| Person | Role | Scope | What They Can Do |
|---|---|---|---|
| IT Manager | Owner | Production subscription | Everything, including assigning roles |
| Developer | Contributor | Dev resource group | Create/modify resources in dev |
| Project Manager | Reader | Production subscription | View production resources, no changes |
| Intern | Reader | Dev resource group | View dev resources only |
Key concept: RBAC permissions inherit down the hierarchy. A Contributor role assigned at the subscription level applies to ALL resource groups and resources within that subscription.
Exam tip: Least privilege principle
Always assign the minimum permissions needed. If someone only needs to view resources, give them Reader, not Contributor. If they need to modify resources but not assign roles, give them Contributor, not Owner.
The exam tests this with scenarios like: “A developer needs to deploy code but should NOT be able to assign access to other users.” Answer: Contributor (not Owner).
Zero Trust — never trust, always verify
Zero Trust assumes that every request could be a threat, regardless of where it comes from or who is making it.
Three guiding principles:
| Principle | What It Means | Example |
|---|---|---|
| Verify explicitly | Always authenticate and authorise based on all available data | Check user identity, device health, location, and behaviour before granting access |
| Least privilege access | Give minimum permissions needed, for the minimum time | Just-in-time access, just-enough-access |
| Assume breach | Design as if attackers are already in your network | Segment access, encrypt everything, monitor continuously |
Traditional model: Trust everyone inside the corporate network, block everything outside.
Zero Trust model: Trust nobody by default. Verify every access request, every time, regardless of network location.
Harbour Health applies Zero Trust: even a doctor on the hospital’s internal network must verify their identity, use MFA, and access only the patient records they’re authorised for. No blanket “inside the network = trusted” access.
Defence-in-depth — layered security
Defence-in-depth uses seven layers of security. An attacker must breach ALL layers to reach your data:
| Layer | What It Protects | Example Controls |
|---|---|---|
| Physical | Datacenter buildings | Biometric access, cameras, guards |
| Identity | Who can access the system | Entra ID, MFA, Conditional Access |
| Perimeter | Network boundary | DDoS protection, firewalls |
| Network | Internal network traffic | NSGs, VNet segmentation, private endpoints |
| Compute | VMs and containers | Patching, endpoint protection, secure boot |
| Application | Your software | Secure coding, vulnerability scanning |
| Data | Your information | Encryption at rest and in transit, access controls |
Key exam concept: Data is at the centre — it’s what attackers ultimately want. Every layer exists to protect the data. Even if an attacker breaches the perimeter, they still face network, compute, application, and data layers.
Microsoft Defender for Cloud
Defender for Cloud is Azure’s security command centre:
| Feature | What It Does |
|---|---|
| Security recommendations | Tells you what’s misconfigured and how to fix it |
| Secure Score | A percentage showing your overall security posture |
| Threat protection | Detects threats across Azure, hybrid, and multi-cloud |
| Compliance dashboard | Shows compliance against standards (ISO 27001, NIST, PCI DSS) |
| Just-in-time VM access | Opens VM ports only when needed, closes them after |
How Harbour Health uses Defender for Cloud:
- Secure Score shows 78% — they’re working to improve it
- Recommendations flag 3 VMs missing encryption
- Compliance dashboard confirms HIPAA alignment
- Alerts notify security team of suspicious sign-in attempts
Defender for Cloud is free AND paid
- Free tier (CSPM): Security recommendations, Secure Score, and basic assessments for Azure resources
- Paid tier (CWPP): Enhanced threat detection, just-in-time access, adaptive controls, and multi-cloud coverage
The free tier alone provides significant value — every Azure subscription gets it automatically.
🎬 Video walkthrough
🎬 Video coming soon
Azure Security: RBAC, Zero Trust, and Defender — AZ-900
Azure Security: RBAC, Zero Trust, and Defender — AZ-900
~11 minFlashcards
Knowledge Check
A developer at Summit Construction needs to create and modify resources in the Development resource group but should NOT be able to assign access roles to other users. Which RBAC role should they receive?
Which Zero Trust principle states that users should receive only the minimum permissions they need to perform their job?
Harbour Health wants a dashboard showing their overall security posture as a percentage, along with recommendations for improvement. Which Azure service provides this?
🎉 You’ve completed Domain 2: Azure Architecture and Services! You now understand Azure’s infrastructure, compute, networking, storage, identity, and security. Next, we tackle cost management, governance, and monitoring tools.
Next up: What Affects Your Azure Bill — understanding the factors that drive your cloud costs.