Intro: Azure Role-Based Controls
© 2026 Sonrai Security. All rights reserved.
Overview
For Microsoft Azure, Cloud Permissions Firewall (CPF) governs access by managing role-based access control (RBAC) role assignments directly. This is different from AWS and GCP, where CPF applies Privileged Permission controls. On the Roles page you review every role definition in scope, see how much of each role is actually used, and reduce over-privileged or unused access — all as governed changes.
To work with Azure Role-Based Controls, your tenant must already be onboarded. See the Azure Configuration Guide to onboard your tenant first.
Reducing access in Azure is user-initiated. CPF computes least-privilege recommendations and applies them when you request them or when a control is submitted — it does not automatically grant Just-In-Time (JIT) Access for Azure.
Scope
Use the scope picker at the top of the page to choose which part of your Azure hierarchy you are viewing — the entire tenant, a management group, or a subscription. The Roles table and hero cards update to reflect the identities and assignments within the scope you select.
Counts such as Assigned and Right-Sized are evaluated from the selected scope down, so a higher-level scope aggregates everything beneath it.
![[AI GENERATED] The Cloud Permissions Firewall Azure Roles page showing One-Click Protection, hero cards for RBAC assignments with excessive privilege and unused RBAC assignments, and a table of role definitions with their assigned and right-sized counts and protection status.](/cpf-public/img/cpf-interface/controls/azure-role-based-controls/azure-role-based-controls-intro/azure-roles-main-light.png)
Hero Cards
The hero cards summarize the highest-impact actions for the selected scope and let you act on them with a single click.
Identities that hold more access than they use. Click to replace over-privileged assignments with right-sized ones, or Preview Changes to review them first.
Role assignments that have not been used. Click to remove them, or Preview Changes to review them first.
The One-Click Protection banner at the top of the page lets you protect all identities at the selected scope at once with Protect Your Cloud.
Use Preview Changes before applying a bulk action to see exactly which assignments CPF will modify.
The Roles Table
Each row represents a role definition in the selected scope.
| Column | Description |
|---|---|
| Role | The name of the Azure role definition (for example, Owner, User Access Administrator, Reader). |
| Type | The role definition type — Managed for an Azure built-in role, or Custom for a custom role definition. |
| Privileged Permissions | The number of privileged permissions included in the role definition. A permission is considered privileged if it can change your environment — that is, any Create, Update, or Delete action (as opposed to read-only actions such as list or get). |
| Assigned | The number of distinct identities that have this role assigned, from the current scope down. |
| Right-Sized | The number of identities whose actual usage justifies this role — that is, identities that have used enough of the permissions distinct to this role to need it, evaluated from the current scope down. Identities counted under Assigned but not Right-Sized are using less than the role grants, and are candidates for a reduced (right-sized) assignment. |
| Status | The state of applied controls for this role at the current scope. |
| Action | The control action available for this role. |
Use Quick Search to filter the table by role name. By default, roles that are not currently assigned are hidden; toggle Show Unassigned Roles to include them. Click Export to download the table.
Role Status
No CPF controls are applied to this role at the selected scope.
Some, but not all, assignments for this role are protected at the selected scope.
CPF controls are applied to this role across the selected scope.
Any status with (pending) indicates there are entries on the Pending Changes page waiting to be reviewed and deployed.
Reviewing and Protecting a Role
Open the role flyout
To inspect a role in detail, click its role definition name in the Role column. This opens the role's flyout, where you can review and act on the role across each scope it applies to.
![[AI GENERATED] The Cloud Permissions Firewall Azure role flyout for User Access Administrator, showing recommendations, a per-scope table of assigned and right-sized identities, and Protect actions for each scope.](/cpf-public/img/cpf-interface/controls/azure-role-based-controls/azure-role-based-controls-intro/azure-roles-flyout-light.png)
The flyout shows:
- Recommendations — a summary of the identities that have access through this role and the right-sizing CPF recommends. Identities that require continued access can be kept as exemptions.
- A per-scope table — each scope where the role is assigned, with its assigned and right-sized identity counts, current status, and a Protect action so you can apply the control at a single scope or across everything beneath it.
Stage a protection
To protect a role, click — either in the Action column of the Roles table, or for a specific scope inside the flyout. CPF prompts you to confirm, then stages the protection rather than applying it immediately.
Staged protections — along with any suggested exemptions — are submitted to the Pending Changes page. Review your pending changes there and deploy them to apply the controls to your Azure tenant.
Azure Role-Based Controls is part of CPF's Azure support. Some controls available for AWS and GCP — such as Privileged Permission controls — do not apply to Azure, which manages RBAC role assignments directly instead.