Role Based Access Control

Azure Role Based Access Control (RBAC) is the authorisation system used to manage access to Azure resources. It allows you to grant users, groups, service principals, and managed identities only the permissions they need, at the appropriate scope.

Key Concepts

Security Principal — The identity requesting access: a user, group, service principal, or managed identity
Role Definition — A collection of permissions (actions, notActions, dataActions, notDataActions). Azure provides hundreds of built-in roles; custom roles can also be defined
Scope — The boundary the role applies to. Scopes form a hierarchy: Management Group → Subscription → Resource Group → Resource
Role Assignment — Attaches a role definition to a security principal at a specific scope. Permissions are inherited downward through the scope hierarchy

Scope Hierarchy


Management Group
└── Subscription
    └── Resource Group
        └── Resource

A role assigned at a higher scope is automatically inherited by all child scopes. For example, a Reader assignment on a subscription grants read access to every resource group and resource within it.

Common Built-in Roles

Role	Description
`Owner`	Full access to all resources, including the ability to assign roles
`Contributor`	Create and manage all resources; cannot assign roles or manage access
`Reader`	View all resources; cannot make changes
`User Access Administrator`	Manage user access to Azure resources; cannot manage resources themselves
`Role Based Access Control Administrator`	Manage role assignments; cannot manage resources themselves

Usage

PowerShell


# List all role assignments in a resource group
Get-AzRoleAssignment -ResourceGroupName "rg-myapp-prod-uks-01"
 
# Assign the Reader role to a user at resource group scope
New-AzRoleAssignment `
  -SignInName "user@example.com" `
  -RoleDefinitionName "Reader" `
  -ResourceGroupName "rg-myapp-prod-uks-01"
 
# Assign a role to a security group at subscription scope
$group = Get-AzADGroup -DisplayName "MyTeam"
New-AzRoleAssignment `
  -ObjectId $group.Id `
  -RoleDefinitionName "Contributor" `
  -Scope "/subscriptions/<sub-id>"
 
# Remove a role assignment
Remove-AzRoleAssignment `
  -SignInName "user@example.com" `
  -RoleDefinitionName "Reader" `
  -ResourceGroupName "rg-myapp-prod-uks-01"
 
# List all available built-in role definitions
Get-AzRoleDefinition | Where-Object { $_.IsCustom -eq $false } | Select-Object Name, Description | Sort-Object Name

Azure CLI


# List all role assignments in a resource group
az role assignment list \
  --resource-group "rg-myapp-prod-uks-01" \
  --output table
 
# Assign the Reader role to a user at resource group scope
az role assignment create \
  --assignee "user@example.com" \
  --role "Reader" \
  --resource-group "rg-myapp-prod-uks-01"
 
# Assign a role to a security group at subscription scope
GROUP_ID=$(az ad group show --group "MyTeam" --query id -o tsv)
az role assignment create \
  --assignee-object-id $GROUP_ID \
  --assignee-principal-type Group \
  --role "Contributor" \
  --scope "/subscriptions/<sub-id>"
 
# Remove a role assignment
az role assignment delete \
  --assignee "user@example.com" \
  --role "Reader" \
  --resource-group "rg-myapp-prod-uks-01"
 
# List all available built-in role definitions
az role definition list --custom-role-only false --query "[].{Name:roleName, Description:description}" -o table

Bicep


// Assign the Reader role to a security group at resource group scope
// Role definition IDs: https://learn.microsoft.com/azure/role-based-access-control/built-in-roles
var readerRoleId = 'acdd72a7-3385-48ef-bd42-f606fba81ae7'
 
param principalId string  // Object ID of the user, group, or service principal
 
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(resourceGroup().id, principalId, readerRoleId)
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', readerRoleId)
    principalId: principalId
    principalType: 'Group'  // User | Group | ServicePrincipal
  }
}

Custom Roles

When built-in roles don’t fit the principle of least privilege, custom roles can be defined with a precise set of permissions.

PowerShell


# Define and create a custom role
$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()
$role.Name = "Custom Storage Blob Reader"
$role.Description = "Read-only access to blob data"
$role.IsCustom = $true
$role.Actions = @("Microsoft.Storage/storageAccounts/read")
$role.DataActions = @("Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read")
$role.AssignableScopes = @("/subscriptions/<sub-id>")
 
New-AzRoleDefinition -Role $role

Azure CLI


# Create a custom role from a JSON definition file
az role definition create --role-definition '{
  "Name": "Custom Storage Blob Reader",
  "Description": "Read-only access to blob data",
  "Actions": ["Microsoft.Storage/storageAccounts/read"],
  "DataActions": ["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"],
  "AssignableScopes": ["/subscriptions/<sub-id>"]
}'

Bicep


targetScope = 'subscription'
 
param subscriptionId string = subscription().subscriptionId
 
resource customRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
  name: guid(subscriptionId, 'Custom Storage Blob Reader')
  properties: {
    roleName: 'Custom Storage Blob Reader'
    description: 'Read-only access to blob data'
    type: 'CustomRole'
    permissions: [
      {
        actions: [
          'Microsoft.Storage/storageAccounts/read'
        ]
        dataActions: [
          'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'
        ]
      }
    ]
    assignableScopes: [
      '/subscriptions/${subscriptionId}'
    ]
  }
}

Bicep Params


using './main.bicep'
 
// Defaults to the current subscription — override if deploying cross-subscription
param subscriptionId = '<sub-id>'

Best Practices

Apply the principle of least privilege — assign only the permissions needed, scoped as narrowly as possible
Prefer assigning roles to groups rather than individual users to simplify access management
Avoid using Owner at broad scopes; prefer Contributor and grant User Access Administrator separately where needed
Use resource group scope as the default; only escalate to subscription or management group scope when explicitly required
Regularly audit role assignments using Access Reviews or Azure Policy to remove stale permissions
Prefer built-in roles over custom roles where they satisfy least privilege — custom roles add maintenance overhead
Avoid assigning roles at the root management group unless enforcing organisation-wide baseline access