Adding Role assignment in Azure RBAC

Written by

Under the topic

Dated:

December 8, 2024

Table Of Content

In Azure, Role-Based Access Control (RBAC) helps manage who can access Azure resources, what actions they can perform, and at which scope.

To grant someone access to a resource, you need to assign them a role (e.g., Reader, Contributor, Owner) within a defined scope (e.g., subscription, resource group, or individual resource).

Here's a step-by-step guide on how to add a role assignment in Azure RBAC:

Prerequisites

1. Entra ID Role

You must have sufficient permissions to assign roles.

You need to be a User Access Administrator or have a role with equivalent permissions, such as Owner or Contributor at the subscription, resource group, or resource level.

2. Security Principal

You must have a security principal (e.g., user, group, service principal, or managed identity) that you are assigning the role to.

Method 1: Assign Role Using Azure Portal

Go to the Azure portal and sign in with your Azure credentials.

2. Navigate to the Resource:

You can assign roles at various levels like subscription, resource group, or resource.

Select the appropriate scope where you want to assign the role.

For Subscription-level assignment: Go to Subscriptions in the portal.
For Resource Group-level assignment: Go to Resource groups.
For Resource-level assignment: Navigate to the specific resource (e.g., a virtual machine, storage account, etc.).

3. Open Access Control (IAM):

At the scope level (subscription, resource group, or resource), in the left-hand menu, select Access control (IAM).

This is where you can manage role assignments.

4. Click on "Add" and Select "Add role assignment":

In the Access control (IAM) pane, click + Add and then choose Add role assignment.

5. Choose the Role:

In the Add role assignment pane, Under Role, select the role you want to assign.

You can search for built-in roles such as Reader, Contributor, Owner, or any custom role.

6. Select the Security Principal:

Under Select, type the name of the security principal (user, group, service principal, or managed identity) you want to assign the role to.

You can also use email addresses for users or groups, or search for service principals and managed identities.

7. Set the Scope:

The scope is determined by where you are assigning the role.

It could be a subscription, resource group, or specific resource.

8. Review and Assign:

After selecting the role and security principal, review the information.

Click Save to assign the role.

Method 2: Assign Role Using Azure CLI

You can also use the Azure Command-Line Interface (CLI) to assign roles.

Here’s how you can do it:

1. Open Azure CLI:

Open Azure Cloud Shell in the Azure portal or use your local installation of the Azure CLI.


1
az login

3. Assign Role:

Use the az role assignment create command to assign a role.

Replace the placeholders with your actual information:


xxxxxxxxxx
4
1
az role assignment create \
2
--assignee <principal-id> \
3
--role <role-name> \
4
--scope <scope>

Example:

Assignee

This could be a user, group, service principal, or managed identity (typically identified by their Object ID or User Principal Name).

Role

The role you want to assign (e.g., Reader, Contributor, Owner, or custom role).

Scope

The scope for the role assignment (e.g., /subscriptions/{subscription-id}, /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}).

Example command:


xxxxxxxxxx
4
1
az role assignment create \
2
--assignee user@example.com \
3
--role Reader \
4
--scope /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}

4. Verify Role Assignment:

To confirm that the role assignment was successful, use the following command to list the role assignments:


xxxxxxxxxx
2
1
az role assignment list \
2
--assignee user@example.com

Method 3: Assign Role Using Azure PowerShell

You can also use Azure PowerShell to assign roles.

1. Open Azure PowerShell:

Open Azure PowerShell either locally or through the Azure Cloud Shell.

Run the following command to log in:


xxxxxxxxxx
1
1
Connect-AzAccount

3. Assign Role:

Use the New-AzRoleAssignment cmdlet to assign a role.

Replace the placeholders with your actual information:


xxxxxxxxxx
4
1
New-AzRoleAssignment `
2
-ObjectId <principal-id> `
3
-RoleDefinitionName <role-name> `
4
-Scope <scope>

Example:


xxxxxxxxxx
4
1
New-AzRoleAssignment `
2
-ObjectId "user-id" `
3
-RoleDefinitionName "Reader" `
4
-Scope "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}"

4. Verify Role Assignment:

To check the role assignments, use the following cmdlet:


xxxxxxxxxx
1
1
Get-AzRoleAssignment -ObjectId "user-id"

Method 4: Assign Role Using Azure REST API

If you're integrating with Azure programmatically, you can use the Azure REST API to assign roles.

1. Authenticate using Entra ID to get an access token.

2. Use the roleAssignments API to create a new role assignment.

Example API endpoint:


xxxxxxxxxx
1
1
POST https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01-preview

Body:


xxxxxxxxxx
6
1
{
2
  "properties": {
3
    "roleDefinitionId": "/subscriptions/{subscription-id}/providers/Microsoft.Authorization/roleDefinitions/{role-id}",
4
    "principalId": "{principal-id}"
5
  }
6
}

This method is typically used in scenarios where automation or integration with external systems is required.

Things to Remember

1. Scope

Role assignments can be done at different levels: subscription, resource group, and individual resource.

Assign roles at the narrowest scope possible to follow the principle of least privilege.

2. Built-in Roles

Azure provides several built-in roles (e.g., Owner, Contributor, Reader).

You can also create custom roles for specific access requirements.

3. Propagation

Role assignments at higher scopes (e.g., subscription) automatically apply to lower scopes (e.g., resource groups and resources) within the hierarchy.

4. Entra ID Group Assignments

It’s often better to assign roles to Entra ID groups rather than individual users for easier management and scalability.

Summary

To assign a role in Azure RBAC:

Azure Portal

Go to the resource's Access control (IAM) section, select the role, and assign it to the desired principal.

Azure CLI

Use az role assignment create to assign the role through the command line.

Azure PowerShell

Use New-AzRoleAssignment to assign the role via PowerShell.

Azure REST API

Use the roleAssignments API for programmatic role assignment.

These methods allow you to efficiently control access to Azure resources, ensuring users have appropriate permissions for their tasks.

Working with Azure Policy

Azure Policies are a crucial tool for enforcing governa…

What is ARM Template in Azure?

An Azure Resource Manager (ARM) template is a JSON (Jav…

How Role Assignment works in Azure – Secu…

In Azure, Role-Based Access Control (RBAC) is used to m…

What is Azure Resource Hierarchy?

The Azure Resource Hierarchy is the organizational stru…

Tags attached to this Post

About the Author

Rajnish Kumar Jha

MCT, MCSA, MCSE, MCAD, MCPD, MCTS, MCSD

My name is Rajnish Kumar Jha. I am Technical architect on Azure Cloud and .NET since 21+ years. I’ve worked for pioneer companies and as freelance trainer/consultant helping my clients to achieve their IT goals.

I find blogging, a great way to share back what I’ve learned all through my professional journey. You are welcome to connect or share feedback/suggestion here or through an email.