Azure RBAC uses an allow model. When you`re assigned a role, Azure RBAC allows you to perform actions within the scope of that role. If one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you have both read and write permissions on that resource group.
Lab scenario
To improve the management of Azure resources in Contoso, you have been tasked with implementing the following functionality:
Objectives
Task 1: Implement Management Groups
Task 2: Create custom RBAC roles
Task 3: Assign RBAC roles