Permissions, Access & Governance
Who can touch what in Azure — RBAC, Entra ID, least privilege and Purview, explained simply.
What you'll learn
- Explain RBAC and roles in plain terms
- Know what Entra ID and least privilege mean
- Understand what Purview is for
All the data you’ve met so far has to be kept safe — not everyone should see the payroll figures, and not everyone should be able to delete a warehouse. The system that decides who can do what in Azure goes by a few names: RBAC, roles, Entra ID, least privilege and Purview. They sound bureaucratic, but each answers a simple, sensible question about access. Get the vocabulary and you’ll understand why you sometimes can see a thing but can’t change it.
RBAC and roles: keys cut to fit the job
RBAC stands for Role-Based Access Control, and the idea is exactly as it sounds: what you’re allowed to do depends on your role, not on you personally. Picture a building where keys are cut by job rather than by name. A cleaner’s key opens the cupboards but not the safe; a manager’s key opens the offices. In Azure, a role is a bundle of permissions matched to a job — and you’re granted a role rather than a long, custom list of “can do this, can’t do that”.
Three roles cover most everyday cases. Reader lets you look but not touch — see the data and reports, change nothing. Contributor lets you create and change things but not hand out access to others. Owner can do all that and grant access to other people. So when a colleague says “I only have Reader on that”, they’re telling you they can view it but can’t edit it — and there’s no point asking them to fix it.
A simple ladder: Reader looks, Contributor changes, Owner also hands out access to others.
Entra ID: the company directory of identities
Before Azure can decide what your role allows, it has to know who you are. That’s the job of Microsoft Entra ID (you may still hear its old name, Azure Active Directory). It’s the company directory — the master list of everyone’s work identity and the single login behind your email, Teams, Power BI and the rest. When you sign in once and everything just works, that’s Entra ID. And when you leave the company and access vanishes everywhere at once, that’s Entra ID too. RBAC leans entirely on it: first Entra ID confirms who you are, then your role decides what you can do.
Entra ID proves who you are; RBAC roles decide what you’re allowed to do once you’re in.
Least privilege: only the keys you need
A guiding principle runs through all of this: least privilege. It means giving each person the minimum access they need to do their job — and no more. Not because anyone’s distrusted, but because every extra permission is an extra risk: an account that can touch everything is a far bigger prize if it’s ever compromised, and a far easier way to break something by accident. Least privilege is why you might have Reader when Contributor would be “convenient” — the smaller key is the safer key. If you genuinely need more, the fix is to ask for the specific access, which keeps the audit trail clean. When a request for access is declined or trimmed, least privilege is usually the reason, and it’s a sign the system is working, not failing.
Purview: the catalogue and the guardrails
The last name is Microsoft Purview, and it sits one level up from access. Where RBAC controls the locks, Purview is about governance — knowing what data you have, where it lives, where it came from, and whether it’s being handled responsibly. Think of it as a library catalogue plus a safety inspector: it helps people find the right data, labels sensitive information (like anything personal), and tracks how data moves so the organisation can prove it’s compliant. Purview answers the questions auditors and regulators ask — “where did this number come from, and who’s allowed to see it?” — rather than the moment-to-moment “can I open this file?” that RBAC handles.
Spot it: access and governance concepts
Read each situation and decide for yourself, then tap a card to flip it and check your answer.
Sort the access concepts
Drag each item into the bucket it belongs to — or tap an item, then tap a bucket. Hit Check placement when you’re done.
Here's where each one goes:
- Can view but cannot edit → Reader — Reader is the view-only role: see everything, change nothing.
- Can create and change but not grant access → Contributor — Contributors build and modify, but handing out access is above their level.
- Can do everything including grant access → Owner — Owners hold the master key: full control plus the ability to invite others.
- Right for stakeholders who need visibility → Reader — most business users only need Reader to follow along safely.
- A developer who builds pipelines but doesn't manage permissions → Contributor — creating pipelines is a Contributor action; granting access is not.
- The person who can approve an access request → Owner — only Owners can grant roles to others in the Azure portal.
Tip: drag with a mouse, or tap an item then tap a bucket on touch screens. Get one wrong and the answer key appears.
How to use it
You don’t administer any of this, but the words shape your daily work. If you can’t edit something, check your role before assuming it’s broken — Reader can’t change things by design. If access feels too tight, remember least privilege and request the specific permission you need rather than “more access” in general. When onboarding or offboarding comes up, you’ll know Entra ID is the directory switching access on or off. And if leadership talks about governance, data lineage or sensitivity labels, that’s Purview territory. Understanding that identity, role and governance are three different layers — who you are, what you can do, and how the data is looked after — is exactly the literacy that keeps you safe and credible around Azure.
Quick check
1. In RBAC, what you can do depends on your…
2. Microsoft Entra ID is essentially…
3. Microsoft Purview is mainly about…