Simplifying Azure Built-in Roles for Junior System Admins

Azure Roles also known as Azure RBAC is an authorization system tied to Azure Resource Management for more flexible access and management of Azure resources. There are over 100 built-in roles. But I will just focus on the following five fundamental Azure roles. Here is a brief description of the roles that can serve as a quick decision guide to determine what role is needed:

1. Owner: does everything; able to build, operate and control access.

2. Contributor: does everything resource related; able to edit, build and operate but does not control access

3. Reader: does nothing but view; able to see but leave everything as it is

4. Role Based Access Control Administrator: handles only role assignments; able to manage role assignments without privilege of fiddling with policy. 

5. User Access Administrator: handles everything access related; able to control access, assign roles, policies and create customised roles. 

The Owner, Contributor and Reader roles apply to all resource types while the rest of the roles are resource or service specific.

More examples and Use cases:

• Virtual Machine Contributor: Manage virtual machines, but not networking or storage access.Teams that deploy/manage VMs but don't configure VNets or disks.

• Network Contributor: Manage networks (VNets, subnets, NSGs, public IPs, etc.), but not VMs.Networking teams that configure connectivity but don't deploy compute resources.

• Storage Account Contributor: Manage storage accounts (create, configure, delete), but not data access.Storage admins who provision accounts.

• Storage Blob Data Contributor: Read, write, delete blobs.Apps/services that need full blob access.

• Storage Blob Data Reader: Read-only access to blobs.Monitoring or read-only integrations.

• Storage Blob Data Owner: Full blob access + manage ownership/ACLs (POSIX-style for ADLS Gen2).Data lake admins needing fine-grained control.

• Storage File Data SMB Share Contributor: Read/write/delete files over SMB.File share access for VMs/apps.

• Monitoring Contributor: View all monitoring data + update monitoring settings/alerts.SRE/ops teams that configure and manage monitoring.

• Monitoring Reader: View all monitoring data (metrics, logs, alerts), but no changes.Auditors, stakeholders, or read-only dashboards.

• Application Insights Snapshot Debugger: Debug snapshots in Application Insights.Developers troubleshooting live apps.

• Log Analytics Contributor: Manage Log Analytics workspaces (queries, solutions, etc.).Central logging teams.

• Log Analytics Reader: View Log Analytics data and saved queries.Read-only log analysis.

• Backup Contributor: Full backup management (create policies, enable backup, restore), but can't delete vaults or delegate access.Backup admins who handle day-to-day operations.

• Backup Operator: Manage backups (trigger restores, etc.), but can't delete data or manage policies/vaults destructively.Operators focused on restore and monitoring.

• Backup Reader: View-only access to backup vaults, policies, recovery points.Compliance/audit teams reviewing backup status.

• Disk Backup Reader: View permissions for backup vaults to perform disk backups.Disk-specific backup scenarios.

• Storage Account Backup Contributor: Perform backup/restore on specific storage accounts using Azure Backup.Targeted storage backup delegation.

I believe that having read through this, you have a better understanding of Azure built-in roles roles and the logic behind them.