The role assignment is correct. The scope is right. Access is still denied. Here are the hidden reasons why. Propagation Delay Is Real You add a role assignment. You test immediately. It fails. Azure RBAC changes are not instant. Propagation can take up to 30 minutes, though it is usually faster. We spent hours debugging issues that fixed themselves while we investigated. Now we wait five minutes before testing any new role assignment. ...
Role assignments multiply faster than you expect. Here is how we went from structured permissions to chaos, and how we fixed it. It Starts With One Exception You build a clean RBAC model. Groups for teams. Roles at the right scope. Least privilege enforced. Then someone needs access for a demo. Just this once. You add a direct role assignment to their account. You plan to remove it later. You forget. ...
Why permission models rot over time. Azure RBAC feels simple at first. Assign a role. Pick a scope. Move on. The problems show up later. RBAC Accumulates History Permissions tend to grow, not shrink. Temporary access becomes permanent. Emergency grants never get revisited. Roles pile up across scopes. Over time, no one remembers why access exists. They only remember that removing it feels risky. I have audited Azure subscriptions where people had role assignments from three jobs ago. Former contractors still had Contributor access years after their contracts ended. Service principals created for one-off migrations still had Owner access to production. ...
Practical IAM, not zero trust theater. Access control often swings between two extremes. Everything open. Everything locked down. Neither works. Why Overly Restrictive IAM Fails When access is too hard to get: engineers work around it secrets get shared permissions creep quietly reviews become rubber stamps Security that blocks work does not create safety. It creates shadow systems. I have seen this pattern repeat across multiple teams. Access requests take days or weeks to get approved. The approval process requires three levels of sign-off, none of which understand the technical need. Engineers get frustrated and find workarounds. ...