0
0
Azurecloud~5 mins

Built-in roles (Owner, Contributor, Reader) in Azure - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Azure built-in roles help control who can do what in your cloud resources. They solve the problem of managing permissions easily without creating custom roles.
When you want to give full control of a resource to a team member without restrictions.
When you want someone to manage resources but not change access permissions.
When you want to allow someone to only view resources without making changes.
When you need quick permission setup using predefined roles.
When you want to avoid mistakes by using tested, standard roles.
Commands
Assigns the Owner role to user@example.com for the specified resource group, giving full control including managing access.
Terminal
az role assignment create --assignee user@example.com --role Owner --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup
Expected OutputExpected
{ "canDelegate": false, "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Authorization/roleAssignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "name": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "principalId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy", "principalType": "User", "roleDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", "roleDefinitionName": "Owner", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup", "type": "Microsoft.Authorization/roleAssignments" }
--assignee - Specifies the user or service principal to assign the role
--role - Specifies the built-in role to assign
--scope - Defines the resource or resource group where the role applies
Assigns the Contributor role to user@example.com for the resource group, allowing resource management but not access control.
Terminal
az role assignment create --assignee user@example.com --role Contributor --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup
Expected OutputExpected
{ "canDelegate": false, "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Authorization/roleAssignments/zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz", "name": "zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz", "principalId": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", "principalType": "User", "roleDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "roleDefinitionName": "Contributor", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup", "type": "Microsoft.Authorization/roleAssignments" }
--assignee - Specifies the user or service principal to assign the role
--role - Specifies the built-in role to assign
--scope - Defines the resource or resource group where the role applies
Assigns the Reader role to user@example.com for the resource group, allowing only viewing access without changes.
Terminal
az role assignment create --assignee user@example.com --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup
Expected OutputExpected
{ "canDelegate": false, "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Authorization/roleAssignments/cccccccc-cccc-cccc-cccc-cccccccccccc", "name": "cccccccc-cccc-cccc-cccc-cccccccccccc", "principalId": "dddddddd-dddd-dddd-dddd-dddddddddddd", "principalType": "User", "roleDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", "roleDefinitionName": "Reader", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup", "type": "Microsoft.Authorization/roleAssignments" }
--assignee - Specifies the user or service principal to assign the role
--role - Specifies the built-in role to assign
--scope - Defines the resource or resource group where the role applies
Lists all role assignments for user@example.com on the specified resource group to verify permissions.
Terminal
az role assignment list --assignee user@example.com --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup
Expected OutputExpected
[ { "principalId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy", "roleDefinitionName": "Owner", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup" } ]
--assignee - Filters role assignments by user or service principal
--scope - Filters role assignments by resource or resource group
Key Concept

If you remember nothing else from this pattern, remember: Owner can do everything including access control, Contributor can manage resources but not access, and Reader can only view resources.

Common Mistakes
Assigning Contributor role when Owner role is needed for access control.
Contributor cannot change permissions, so the user cannot grant access to others.
Use Owner role if the user needs to manage access permissions.
Using incorrect scope that is too broad or too narrow.
Permissions may apply to unintended resources or not apply where needed.
Specify the exact resource group or resource scope where permissions are required.
Not verifying role assignments after creation.
You may think permissions are set but they are not, causing access issues.
Run az role assignment list to confirm the user has the expected roles.
Summary
Use az role assignment create to assign built-in roles Owner, Contributor, or Reader to users.
Owner role allows full control including managing access, Contributor allows resource management without access control, Reader allows only viewing.
Verify role assignments with az role assignment list to ensure correct permissions.