The subscription is the lowest level of identity verification (for Global Administrator/Co-Administrator) and the connected Azure AD takes control of all the identities and the assigned roles and rights.
These are the basics for the Role-Based Access Control (RBAC) on Azure Resources. With the release of the new portal, the concept of an Azure Resource was introduced. Every service you create in Azure is part of a resource group or is itself a resource.
This is the place where access control takes place in Azure.
Azure RBAC enables you to use detailed access management for Azure. Employing RBAC makes it possible to make specific choices about how user access is granted in order to perform their tasks (for example, SQL Administration). Two ways of control are possible when using the fine-grained RBAC:
RBAC role assignments are bound to a specific subscription or resource (group). Giving access to a specific Resource, does not imply access to any other...