Why “Just Give Them Access” Is the Most Dangerous Thing in Cloud Security

A practical guide to Azure RBAC, Least Privilege, and Zero Trust for beginners and professionals alike · 

“It’s just temporary.” Those three words have caused more cloud security incidents than most people want to admit including me.

I still remember the moment it clicked for me. I was deep in an Azure lab, trying to figure out why a service account had access to an entire subscription when it only needed to read from one storage container. Nobody had done anything malicious. Nobody had even made a bad decision on purpose. The access had just… accumulated. Layer after layer. Project after project. Until one day, someone looked at the environment and realized they had no idea who could do what anymore.

That’s the quiet danger in cloud security. It rarely looks like a dramatic breach. It usually looks like a list of permissions nobody cleaned up.

As I continue studying Microsoft Azure and documenting that journey publicly, I keep coming back to two concepts that I believe every cloud engineer beginner or experienced must truly understand:

Azure Role-Based Access Control (RBAC) and the Principle of Least Privilege. They are not just settings in a portal. They are how you design a cloud environment that doesn’t collapse the moment something goes wrong.

This guide is for you whether you just created your first Azure account or you’re already deploying infrastructure at scale. The fundamentals matter at every level.

The invisible risk: what excessive access actually looks like

Let’s be honest about how cloud environments get messy because it doesn’t happen the way you might expect.

It starts with a new team member joining mid-project. To avoid blocking them, a manager says, “Let’s just give them Contributor access to the whole resource group for now.” That “for now” never gets revisited.

Then a contractor joins for a three-month deployment. They need elevated access to push resources. Project ends. Permissions stay.

An engineer moves to a different team. Old access remains. Nobody notices because the account is still active and nobody’s looking.

Six months later, you have an Azure environment where dozens of identities carry permissions, they no longer need and no one has a clear picture of who can do what.

This is not a assumption. This is one of the most common security findings in real Azure environments and it’s exactly the kind of gap that attackers look for.

One compromised account with Reader permissions might leak sensitive configuration data. One compromised account with Owner permissions could destroy your entire infrastructure delete virtual machines, disable monitoring, exfiltrate data, and lock your team out.

The role you assign today is the blast radius you accept tomorrow.

What is the Principle of Least Privilege?

The Principle of Least Privilege is a security concept with a simple rule:

Every user, application, and system should only have the minimum level of access required to do their specific job and nothing more.

In practice, this means you stop asking “what access might this person need?” and start asking “what access does this person actually need right now?”

The difference sounds small. The security impact is enormous.

Least Privilege reduces your attack surface. If a user account gets compromised, the attacker inherits only that user’s limited permissions not keys to the entire kingdom. It limits the damage from insider threats, both accidental and intentional. And it creates accountability, because every access grant has a clear purpose behind it.

In Azure, this principle is enforced through a system called Azure RBAC.

What is Azure RBAC and why does it matter?

Azure Role-Based Access Control (Azure RBAC) is Microsoft Azure’s built-in authorization system. It lets you control who has access to Azure resources, what they can do with those resources, and at what scope those permissions apply.

Before RBAC, managing permissions was crude you either had access or you didn’t. Azure RBAC makes access granular and deliberate. Instead of handing someone the keys to your entire environment, you give them exactly what they need for their role and you scope it to exactly where they need it.

It works through three core concepts:

Security principal

The identity requesting access a user, a group, a service principal, or a managed identity.

Role definition

A collection of permissions. It defines what actions are allowed for example, “can read storage accounts” or “can delete virtual machines.”

Scope

Where the permissions apply at the level of a management group, subscription, resource group, or individual resource.

These three elements combine into a role assignment the actual record that grants access to a specific principal, at a specific scope, with a specific set of permissions.

Understanding Microsoft Entra ID

Before going further, Entra ID helps to understand the identity system behind everything: 

Microsoft Entra ID  formerly known as Azure Active Directory is Microsoft’s cloud-based identity and access management platform. Every time a user signs into Azure, Microsoft 365, or a connected app, Entra ID is working in the background.

Entra ID answers the question “Who are you?” Azure RBAC answers the question “What are you allowed to do?”

These two systems work together. Entra ID authenticates the identity. RBAC authorizes what that identity can access. Neither one alone is enough you need both.

Entra ID also powers critical security features like Multi-Factor Authentication (MFA), Conditional Access policies, and identity protection all of which layer on top of RBAC to create a more complete security posture.

The four Azure RBAC roles you need to know

Owner
  • Full access to all resources
  • Can assign roles to others
  • Highest privilege level
  • Assign sparingly — review often
Contributor
  • Create, modify, delete resources
  • Cannot assign roles
  • Good for engineers
  • No identity management
Reader
  • View resources only
  • Cannot create or modify
  • Good for auditors/monitoring
  • Safe for external reviewers
Custom role
  • Tailored permission sets
  • Scoped to exact needs
  • Best Least Privilege option
  • Requires careful design

A critical point about custom roles: built-in roles are a great starting point, but they often grant more access than necessary for a specific task. If someone only needs to restart virtual machines not to delete or recreate them, a custom role lets you grant exactly that, nothing more.

How to assign RBAC roles in the Azure portal (step by step)

If you’re new to Azure, here’s the actual process. Open your Azure portal and follow along.

  1. Sign into the Azure portal at portal.azure.com. Use an account with sufficient permissions to assign roles in your environment.
  2. Navigate to the resource you want to control access for. This can be a subscription, resource group, storage account, key vault, or individual resource — RBAC works at all levels.
  3. Open Access Control (IAM) from the left-hand menu. This is the central hub for all role assignment management on that resource.
  4. Click “Add” then “Add role assignment.” Azure will display the list of available built-in roles and any custom roles you’ve created.
  5. Choose the appropriate role apply Least Privilege. Ask: does this person need full control, or only the ability to read? Can you go even more specific with a custom role?
  6. Select the user, group, service principal, or managed identity to assign the role to. Assigning to groups rather than individuals makes long-term management significantly easier.
  7. Review and confirm. Double-check the role, the scope, and the principal before saving. Once assigned, permissions take effect almost immediately.
Pro tip: always assign roles to groups where possible, not individuals. When someone joins or leaves a team, you update the group, not dozens of individual role assignments.

Three real-world scenarios where excessive privileges cause damage

Theory is useful. But it helps to see how this plays out in practice.

Scenario 1: The phished admin account

An attacker sends a convincing phishing email to an engineer. The engineer clicks. Their credentials are captured. Because that engineer had Owner-level access across three subscriptions “for convenience,” the attacker now has the ability to delete resources, disable security monitoring, export secrets, and deploy malicious workloads all before anyone notices.

Scenario 2: The forgotten contractor

A contractor completes a six-month deployment engagement and offboards. Their access isn’t revoked. an oversight in a busy team. Eight months later, their email account is compromised through an unrelated breach. The attacker finds active Azure credentials attached to that account. Because the contractor still has Contributor access to a production resource group, the attacker has everything they need.

Scenario 3: The accidental deletion

An intern runs a cleanup script one they genuinely thought was safe. Because they were given Contributor access to the entire subscription instead of just the test resource group, the script runs further than intended and deletes a production database. No malicious intent. Just too much access and not enough guardrails.

All three scenarios have one common thread: permissions that were broader than they needed to be.

How RBAC fits into Zero Trust security

Zero Trust is one of the most talked-about frameworks in modern cybersecurity. Its core principle is simple but has sweeping implications:

“Never trust. Always verify.”

Zero Trust rejects the old assumption that anyone inside your network perimeter is safe. In modern cloud environments, where users connect from home, from personal devices, from anywhere in the world that assumption was never really valid anyway.

Azure RBAC is a foundational component of any Zero Trust implementation. It ensures that:

  • Access is explicitly granted, not assumed
  • Permissions are aligned to actual job function
  • The blast radius of any compromise is contained
  • Every access decision can be audited and reviewed

Pair RBAC with Conditional Access policies and MFA through Microsoft Entra ID, and you have a layered security model that doesn’t rely on trusting any single identity by default.

Azure RBAC best practices checklist

  • Apply Least Privilege to every role assignment, no exceptions
  • Assign roles to groups, not individuals, wherever possible
  • Review role assignments on a regular; scheduled cadence
  • Remove access for offboarded users and contractors immediately
  • Restrict Owner role assignments — require justification and review
  • Use Custom Roles when built-in roles grant more access than needed
  • Enable MFA for all accounts, especially privileged ones
  • Implement Conditional Access policies through Microsoft Entra ID
  • Monitor and audit privileged account activity continuously
  • Separate permissions between production and development environments
  • Document every role assignment decision and its business justification
  • Use managed identities for applications instead of user credentials

Why identity is now the security perimeter

There’s a phrase you’ll hear often in cloud security circles: “identity is the new perimeter.” It sounds abstract until you understand what changed.

Traditional security was built around the network. You had a firewall, a corporate office, a physical boundary. If you were inside the network, you were assumed to be trustworthy. Security was focused on keeping threats out at the edge.

Cloud computing dismantled that model. Resources live outside corporate networks. Users access systems from anywhere. Applications communicate across the internet. There is no clear perimeter anymore not in the traditional sense.

What remains is identity. Every action in Azure is performed by an authenticated identity. That identity either has or doesn’t have permission to perform that action. If you control your identities and their permissions tightly, you retain meaningful security even in a borderless environment.

This is why Microsoft Entra ID, RBAC, Conditional Access, and MFA aren’t optional security add-ons. They are the security layer. They are the perimeter now.

A quick glossary for beginners

Azure RBAC Azure’s authorization system controls what authenticated users are allowed to do with resources.
 
Least Privilege The security principle that users should only receive the minimum access required for their role.
 
Microsoft Entra ID Microsoft’s cloud identity platform handles authentication and identity management.
 
Zero TrustA security framework built on “never trust, always verify” no user or device is trusted by default.
 
MFA (Multi-Factor Authentication)  requires more than a password to verify identity.
 
IAM Identity and Access Management  the broader discipline of managing digital identities and their permissions.
 
Conditional Access Policies that make access decisions based on context location, device health, risk level.
 
Managed identity An Azure-managed identity for applications and services, eliminates the need to store credentials in code.
 
Role assignment The record that links a security principal, a role definition, and a scope the actual grant of access.

Where I am in this journey  and why I’m writing about it

I’m actively studying Azure, and I won’t pretend otherwise. I’m not writing this from a position of “I’ve solved this problem” I’m writing it from the position of someone who found it genuinely difficult to understand at first, and who knows that clear explanations are often the thing that’s missing.

What I’ve learned is that cloud security concepts like RBAC and Least Privilege aren’t reserved for senior architects. They are entry-level fundamentals that every cloud practitioner needs to internalize early because the habits you build when you’re learning are the ones you carry forward.

I’ve also learned that women in tech often feel like they need to wait until they “know enough” before they speak publicly about technical topics. I’m choosing not to wait. I’ll document the learning as it happens, in plain language, as honestly as I can.

If this post helped something click for you, that’s exactly why it exists.

Final thought: the permissions you assign today

Cloud security doesn’t fail all at once. It erodes slowly one unnecessary permission at a time, one unreviewed role assignment at a time, one forgotten contractor account at a time.

Azure RBAC and Least Privilege are not advanced security topics. They are foundational. They are where security maturity begins. And they are entirely within reach for anyone willing to learn them properly.

Take five minutes this week and look at your Azure environment. Ask the questions that matter:

  • Who has Owner access and does it still make sense?
  • Are there accounts with permissions that were “temporary”?
  • When was the last time anyone reviewed role assignments?

The answers to those questions might be more important than any tool you configure.

Follow along with the journey

I share beginner-friendly Azure and cloud security breakdowns access management, identity, Zero Trust, and what I’m learning week by week.

 LinkedIn