Access control is likely one of the top things you care about as you start onboarding public cloud. With Azure AD you can control access to Azure cloud resources using your on-premises identity system – for example, ensuring that when emplopyees leave your organization they automatically lose access to company resources in Azure. And with Azure RBAC you can grant only the amount of access to users that they need to perform their jobs. To configure separation of authority you will mostly use the roles that come built-in with Azure RBAC. However, based on the way you manage Azure, you might need to grant certain people access to a set of hand-picked operations – like people who can monitor virtual machines and restart them but can't delete or create new ones. To achieve this, you can now create custom roles in Azure RBAC and specify the exact permissions that you wish to grant.
See how to configure custom roles, by Dushyant Gill, Program Manager, Identity division.