what is role assignment in azure

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Understand Azure role assignments

• 3 contributors

Role assignments enable you to grant a principal (such as a user, a group, a managed identity, or a service principal) access to a specific Azure resource. This article describes the details of role assignments.

Role assignment

Access to Azure resources is granted by creating a role assignment, and access is revoked by removing a role assignment.

A role assignment has several components, including:

• The principal , or who is assigned the role.
• The role that they're assigned.
• The scope at which the role is assigned.
• The name of the role assignment, and a description that helps you to explain why the role has been assigned.

For example, you can use Azure RBAC to assign roles like:

• User Sally has owner access to the storage account contoso123 in the resource group ContosoStorage .
• Everybody in the Cloud Administrators group in Microsoft Entra ID has reader access to all resources in the resource group ContosoStorage .
• The managed identity associated with an application is allowed to restart virtual machines within Contoso's subscription.

The following shows an example of the properties in a role assignment when displayed using Azure PowerShell :

The following shows an example of the properties in a role assignment when displayed using the Azure CLI , or the REST API :

The following table describes what the role assignment properties mean.

When you create a role assignment, you need to specify the scope at which it's applied. The scope represents the resource, or set of resources, that the principal is allowed to access. You can scope a role assignment to a single resource, a resource group, a subscription, or a management group.

Use the smallest scope that you need to meet your requirements.

For example, if you need to grant a managed identity access to a single storage account, it's good security practice to create the role assignment at the scope of the storage account, not at the resource group or subscription scope.

For more information about scope, see Understand scope .

Role to assign

A role assignment is associated with a role definition. The role definition specifies the permissions that the principal should have within the role assignment's scope.

You can assign a built-in role definition or a custom role definition. When you create a role assignment, some tooling requires that you use the role definition ID while other tooling allows you to provide the name of the role.

For more information about role definitions, see Understand role definitions .

Principals include users, security groups, managed identities, workload identities, and service principals. Principals are created and managed in your Microsoft Entra tenant. You can assign a role to any principal. Use the Microsoft Entra ID object ID to identify the principal that you want to assign the role to.

When you create a role assignment by using Azure PowerShell, the Azure CLI, Bicep, or another infrastructure as code (IaC) technology, you specify the principal type . Principal types include User , Group , and ServicePrincipal . It's important to specify the correct principal type. Otherwise, you might get intermittent deployment errors, especially when you work with service principals and managed identities.

A role assignment's resource name must be a globally unique identifier (GUID).

Role assignment resource names must be unique within the Microsoft Entra tenant, even if the scope of the role assignment is narrower.

When you create a role assignment by using the Azure portal, Azure PowerShell, or the Azure CLI, the creation process gives the role assignment a unique name for you automatically.

If you create a role assignment by using Bicep or another infrastructure as code (IaC) technology, you need to carefully plan how you name your role assignments. For more information, see Create Azure RBAC resources by using Bicep .

Resource deletion behavior

When you delete a user, group, service principal, or managed identity from Microsoft Entra ID, it's a good practice to delete any role assignments. They aren't deleted automatically. Any role assignments that refer to a deleted principal ID become invalid.

If you try to reuse a role assignment's name for another role assignment, the deployment will fail. This issue is more likely to occur when you use Bicep or an Azure Resource Manager template (ARM template) to deploy your role assignments, because you have to explicitly set the role assignment name when you use these tools. To work around this behavior, you should either remove the old role assignment before you recreate it, or ensure that you use a unique name when you deploy a new role assignment.

Description

You can add a text description to a role assignment. While descriptions are optional, it's a good practice to add them to your role assignments. Provide a short justification for why the principal needs the assigned role. When somebody audits the role assignments, descriptions can help to understand why they've been created and whether they're still applicable.

Some roles support role assignment conditions based on attributes in the context of specific actions. A role assignment condition is an additional check that you can optionally add to your role assignment to provide more fine-grained access control.

For example, you can add a condition that requires an object to have a specific tag for the user to read the object.

You typically build conditions using a visual condition editor, but here's what an example condition looks like in code:

The preceding condition allows users to read blobs with a blob index tag key of Project and a value of Cascade .

For more information about conditions, see What is Azure attribute-based access control (Azure ABAC)?

• Delegate Azure access management to others
• Steps to assign an Azure role

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

RBAC in Azure: A Practical Guide

What is azure rbac.

Azure role-based access control (Azure RBAC) enables access management for Azure resources. It’s an authorization system built into the Azure Resource Manager. You can use Azure RBAC to define which specific users should be allowed access to Azure cloud resources and assign a set of privileges for each user group. Let’s learn more about the specifics.

Azure RBAC vs Azure ABAC

As mentioned earlier, Azure RBAC allows you to manage access to Azure resources, defining what users can do with resources and their access areas. It lets you use role definitions and role assignments to control access. However, it does not offer fine-grained access management and can be difficult when managing hundreds of role assignments.

Azure attribute-based access control (ABAC) works differently.

Azure ABAC allows you to add role assignment conditions to achieve fine-grained access control. It builds on Azure RBAC, letting you add attributes for specific actions. Each role assignment condition provides an additional, optional check to a role assignment. Once you set it up, the condition can filter down permissions provisioned as a part of the role definition and assignment. 

Azure RBAC Concepts

Azure rbac roles.

In Azure RBAC, a role definition is a set of permissions (role). It defines users’ actions, such as write, delete, and read. You can define high-level roles, such as an owner, or specific roles, such as a virtual machine (VM) reader.

Azure provides various built-in roles, including a virtual machine contributor role that allows users to create and manage VMs. If the built-in roles do not satisfy your requirements, you can also define Azure custom roles. You can use data actions to grant access to data stored in a specific object. 

The term scope refers to a set of resources with specific access. It enables you to grant the relevant security principal to a certain role. Limiting the scope means limiting the scope of resources at risk if the security principal is compromised.

Azure RBAC lets you specify a scope at four levels, including a management group level, a subscription level, a resource group level, and a resource level. Azure structures scopes in a parent-child relationship, with each hierarchy level making the scope more specific. It lets you assign roles at any of the four levels. However, note that the level you choose determines how the role is applied. 

Azure also lets you use management groups, a level of scope above subscriptions. However, management groups support complex hierarchies. The diagram below illustrates an example of a hierarchy of management groups and subscriptions.

Role Assignments

Role assignments enable you to attach role definitions to specific users, groups, service principals, or managed identities at a certain scope. When creating a role assignment, you grant specific access, and removing the assignment revokes this access.

Here is a diagram that illustrates an example of a role assignment: 

This example assigns a contributor role to the marketing group—only for the pharma-sales resource group. It enables all users in the marketing group to create or manage Azure resources in the pharma-sales resource group. However, it does not provide marketing users with access to resources external to the pharma-sales resource group.

Azure Groups

Role assignments are transitive for groups, allowing users to gain permissions assigned to groups. If user A is a member of group B and group B is a member of group C with its own role assignment, user A gets the permissions in group C’s role assignment.

Azure RBAC uses an additive model to prevent issues when users get several overlapping role assignments. You can see an example of this principle in the image below. A certain user is granted a reader role by a resource group and a contributor role at the subscription level. The sum of the reader and contributor permissions is the contributor role. The reader role assignment has no impact.

Best Practices for Azure RBAC

Only grant the access users need.

With Azure RBAC, you can create isolation between different teams, granting each team only the access they need to get the job done. 

Instead of granting unlimited permissions to everyone with an Azure subscription or resource, you can only allow specific actions within specific scopes. Avoid assigning broad roles, even if they seem more convenient at first. When you create a custom role, include only the permissions your users need. This ensures that there’s less risk if a principal account is compromised.

The following diagram shows the recommended pattern for granting permissions in Azure RBAC.

Use Azure AD Privileged Identity Management

To protect privileged accounts from malicious cyberattacks, Azure Active Directory Privileged Identity Management (PIM) can be used to reduce privilege issuance time and improve visibility through reports and alerts. PIM helps protect privileged accounts by providing temporary privileged access to Azure AD and Azure resources. Access is time-limited, after which privileges are automatically revoked.

Assign Roles Using Unique Role ID Instead of the Role Name

Role names may change over time, but the role ID always stays the same. Some common examples of changes to role names is when you are using your own custom role and decide to change the name, or when you are using a preview role that has (Preview) in the name. When the role is released from preview, it is automatically renamed.

To ensure consistency over time, it is a good idea to always assign users to a role ID when assigning roles using scripting or automation. This way, scripts won’t break if the name changes in the future. 

Assign Roles to Groups and Limit Subscription Owners

To make it easier to manage role assignments, do not assign roles directly to users. Instead, assign roles to groups. Assigning roles to groups instead of users minimizes the number of role assignments. Note that Azure imposes restrictions on the total role assignments allowed per subscription.

Microsoft recommends having a maximum of 3 owners for each Azure subscription, to reduce the likelihood of a breach by a compromised or malicious insider.

Cloud RBAC with Frontegg

Frontegg provides out of the box RBAC model implementation. Customers can now create their own roles and permissions which represent their product models and use cases. Additionally, Frontegg empowers the end users to create custom roles to represent their permissions model, without having to change a single line of code in the product. Sounds too good to be true? Try it out now.  

Looking to take your User Management to the next level?

Rate this post

4.8 / 5. 1355

No reviews yet

Full Solution, Easy Migration

Privacy overview.

Azure RBAC: role assignments and ARM templates

This post is about Azure's role assignments and ARM templates. Role assignments can be thought of as "permissions for Azure".

If you're deploying to Azure, there's a good chance you're using ARM templates to do so. Once you've got past "Hello World", you'll probably find yourself in a situation when you're deploying multiple types of resource to make your solution. For instance, you may be deploying an App Service alongside Key Vault and Storage .

One of the hardest things when it comes to deploying software and having it work, is permissions. Without adequate permissions configured, the most beautiful code can do nothing . Incidentally, this is a good thing. We're deploying to the web; many people are there, not all good. As a different kind of web-head once said:

Azure has great power and suggests you use it wisely .

Access management for cloud resources is critical for any organization that uses the cloud. Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. Designating groups or individual roles responsible for specific functions in Azure helps avoid confusion that can lead to human and automation errors that create security risks. Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access.

This is good advice. With that in mind, how can we ensure that the different resources we're deploying to Azure can talk to one another?

Role (up for your) assignments ​

The answer is roles. There's a number of roles that exist in Azure that can be assigned to users, groups, service principals and managed identities. In our own case we're using managed identity for our resources. What we can do is use "role assignments" to give our managed identity access to given resources. Arturo Lucatero gives a great short explanation of this:

Whilst this explanation is delightfully simple, the actual implementation when it comes to ARM templates is a little more involved. Because now it's time to talk "magic" GUIDs. Consider the following truncated ARM template, which gives our managed identity (and hence our App Service which uses this identity) access to Key Vault and Storage:

Let's take a look at these three variables:

The three variables above contain the subscription resource ids for the roles Storage Blob Data Contributor , Key Vault Secrets Officer and Key Vault Crypto Officer . The first question on your mind is likely: "what is ba92f5b4-2d11-453d-a403-e96b0029c9fe and where does it come from?" Great question! Well, each of these GUIDs represents a built-in role in Azure RBAC. The ba92f5b4-2d11-453d-a403-e96b0029c9fe represents the Storage Blob Data Contributor role.

How can I look these up? Well, there's two ways; there's an article which documents them here or you could crack open the Cloud Shell and look up a role by GUID like so:

Or by name like so:

As you can see, the Actions section of the output above (and in even more detail on the linked article ) provides information about what the different roles can do. So if you're looking to enable one Azure resource to talk to another, you should be able to refer to these to identify a role that you might want to use.

Creating a role assignment ​

So now we understand how you identify the roles in question, let's take the final leap and look at assigning those roles to our managed identity. For each role assignment, you'll need a roleAssignments resource defined that looks like this:

Let's go through the above, significant property by significant property (it's also worth checking the official reference here ):

• type - the type of role assignment we want to create, for a key vault it's "Microsoft.KeyVault/vaults/providers/roleAssignments" , for storage it's "Microsoft.Storage/storageAccounts/providers/roleAssignments" . The pattern is that it's the resource type, followed by "/providers/roleAssignments" .
• dependsOn - before we can create a role assignment, we need the service principal we desire to permission (in our case a managed identity) to exist
• properties.roleDefinitionId - the role that we're assigning, provided as an id. So for this example it's the keyVaultCryptoOfficer variable, which was earlier defined as [subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')] . (Note the use of the GUID)
• properties.principalId - the id of the principal we're adding permissions for. In our case this is a managed identity (a type of service principal).
• properties.scope - we're modifying another resource; our key vault isn't defined in this ARM template and we want to specify the resource we're granting permissions to.
• properties.principalType - the type of principal that we're creating an assignment for; in our this is "ServicePrincipal" - our managed identity.

There is an alternate approach that you can use where the type is "Microsoft.Authorization/roleAssignments" . Whilst this also works, it displayed errors in the Azure tooling for VS Code . As such, we've opted not to use that approach in our ARM templates.

Many thanks to the awesome John McCormick who wrangled permissions with me until we bent Azure RBAC to our will.

• Role (up for your) assignments
• Creating a role assignment

• Adding or removing role assignments using Azure Portal

Go back to AZ-304 Tutorials

In this article you will learn about assigning roles using Azure portal and the process of adding and removing role assignments. 

However, Azure’s role-based access control (RBAC) refers to the authorization system for managing access to Azure resources. And, to grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. 

Prerequisites

For adding or removing role assignments, you must have:

• Firstly, Microsoft.Authorization/roleAssignments/write 
• Secondly, Microsoft.Authorization/roleAssignments/delete permissions, such as User Access Administrator or Owner

Access control (IAM)

Access control (IAM) is the page that is for assigning roles to grant access to Azure resources. It’s also known as identity and access management and appears in several locations in the Azure portal. There are questions for assigning roles to help in understanding about the Access control (IAM) page.

• Who needs access? This refers to a user, group, service principal, or managed identity. 
• What role do they need? Permissions are grouped together into roles, so you can select from a list of several built-in roles orcan use custom roles.
• Where do they need access? This refers to the set of resources that the access applies to. However, “where” can be a management group, subscription, resource group, or a single resource such as a storage account.

Adding a role assignment

• Firstly, in the Azure portal, click All services and then select the scope that you want to grant access to. 
• Secondly, click the specific resource for that scope.
• Then, Click Access control (IAM).
• Fourthly, click the Role assignments tab for viewing the role assignments at this scope.
• After that, click Add > Add role assignment. However, if you don’t have permissions to assign roles, the Add role assignment option will be disabled.

• Then, in the Role drop-down list, select a role such as Virtual Machine Contributor.
• There in the Select list, select a user, group, service principal, or managed identity. And, if you don’t see the security principal in the list, you can type in the Select box to search the directory for display names, email addresses, and object identifiers.
• Lastly, click Save to assign the role.

Assigning a user as an administrator of a subscription

For giving users the role of an administrator of an Azure subscription, first assign them the Owner role at the subscription scope. As the Owner role gives the user full access to all resources in the subscription, including the permission to grant access to others. However, these steps are the same as any other role assignment.

• Firstly, in the Azure portal, click All services and then Subscriptions.
• Then, click the subscription where you want to grant access.
• Thirdly, click Access control (IAM).
• After that, click the Role assignments tab to view the role assignments for this subscription.
• Then, click Add > Add role assignment. However, if you don’t have permissions to assign roles, the Add role assignment option will be disabled.
• And, in the Role drop-down list, select the Owner role.
• Then, in the Select list, select a user.

Adding a role assignment for a managed identity

For adding role assignments for a managed identity use the Access control (IAM) page. However, when you use the Access control (IAM) page, you start with the scope and then select the managed identity and role. In this section, you will learn about an alternate way to add role assignments for a managed identity. Using these steps, you start with the managed identity and then select the scope and role.

System-assigned managed identity

• Use these steps for assigning a role to a system-assigned managed identity by starting with the managed identity.
• Firstly, in the Azure portal, open a system-assigned managed identity. Then, in the left menu, click Identity.

• After that, under Permissions, click Azure role assignments. However, if roles are already assigned to the selected system-assigned managed identity then you will see the list of role assignments.
• For changing the subscription, click the Subscription list. Then, click Add role assignment.
• Then, use the drop-down lists to select the set of resources that the role assignment applies to such as Subscription, Resource group, or resource. And, if you don’t have role assignment write permissions for the selected scope, an inline message will be displayed.
• After that, in the Role drop-down list, select a role such as Virtual Machine Contributor.

User-assigned managed identity

• Use these steps for assigning a role to a user-assigned managed identity by starting with the managed identity.
• Firstly, in the Azure portal, open a user-assigned managed identity. Then, in the left menu, click Identity.
• After that, under Permissions, click Azure role assignments. However, if roles are already assigned to the selected user-assigned managed identity then you will see the list of role assignments.

Removing a role assignment

In Azure RBAC, for removing access from an Azure resource, you first remove a role assignment. Use these steps to remove a role assignment.

• Firstly, Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.
• Then, click the Role assignments tab to view all the role assignments for this subscription.
• After that, in the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.
• Then, Click Remove.
• Lastly, in the remove role assignment message that appears, click Yes.

However, if you see a message that inherited role assignments cannot be removed, then you are trying to remove a role assignment at a child scope. So, you should open Access control (IAM) at the scope where the role was assigned and try again. 

Reference: Microsoft Documentation

Prepare for Assured Success

Manage Azure Role Assignments Like a Pro with PowerShell

Today’s blog post is a little bit different. I have a couple of examples of how you can use PowerShell snippets and simple commandlets to get or set role assignmnets in your Azure Subscriptions.

PowerShell examples for managing Azure Role assignments

List all role assignments in a subscription, get all role assignments for a specific resource group, get all role assignments for a specific user, add a role assignment to a user, remove a role assignment for a user, remove all role assignments for a specific user, list all built-in roles, list all custom roles, create a custom role, update a custom role, delete a custom role, list all users or groups assigned to a specific role, list all permissions granted by a specific role, list all resource groups that a user has access to, create a role assignment for a service principal, powershell script to manage azure role assignments.

And now there is a script that combines some of these examples into one usable function:

I hope this was useful. Let me know if you liked the format of this blog and if you want me to include more of these examples.

Vukasin Terzic

Recent Update

• Writing your first Azure Terraform Configuration
• Transition from ARM Templates to Terraform with AI
• Getting started with Terraform for Azure
• Terraform Configuration Essentials: File Types, State Management, and Provider Selection
• Dynamically Managing Azure NSG Rules with PowerShell

Trending Tags

Retrieve azure resource group cost with powershell api.

The Future Of Azure Governance: Trends and Predictions

Further Reading

In my previous blog posts, I wrote about how simple PowerShell scripts can help speed up daily tasks for Azure administrators, and how you can convert them to your own API. One of these tasks is...

Azure Cost Optimization: 30 Ways to Save Money and Increase Efficiency

As organizations continue to migrate their applications and workloads to the cloud, managing and controlling cloud costs has become an increasingly critical issue. While Azure provides a robust s...

Custom PowerShell API for Azure Naming Policy

To continue our PowerShell API series, we have another example of a highly useful API that you can integrate into your environment. Choosing names for Azure resources can be a challenging task. ...