0
0
Azurecloud~5 mins

Role-Based Access Control (RBAC) in Azure - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Managing who can do what in your cloud environment is important for security. Role-Based Access Control (RBAC) helps you give the right permissions to the right people or services, so they only access what they need.
When you want to let a team member manage virtual machines but not change network settings.
When you need to give an application permission to read data from a storage account without full access.
When you want to limit access to sensitive resources to only certain users.
When you want to track who has access to what in your Azure subscription.
When you want to follow security best practices by giving least privilege access.
Commands
This command assigns the Reader role to the user with email user@example.com for the resource group named myResourceGroup. It lets the user view resources but not change them.
Terminal
az role assignment create --assignee user@example.com --role "Reader" --scope /subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/myResourceGroup
Expected OutputExpected
{ "canDelegate": null, "id": "/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/myResourceGroup/providers/Microsoft.Authorization/roleAssignments/abcdef12-3456-7890-abcd-ef1234567890", "name": "abcdef12-3456-7890-abcd-ef1234567890", "principalId": "11111111-2222-3333-4444-555555555555", "principalType": "User", "roleDefinitionId": "/subscriptions/12345678-1234-1234-1234-123456789abc/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", "scope": "/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/myResourceGroup", "type": "Microsoft.Authorization/roleAssignments" }
--assignee - Specifies the user or service principal to assign the role to.
--role - Defines the role to assign, like Reader, Contributor, or Owner.
--scope - Limits the role assignment to a specific resource or group.
This command lists all role assignments for the user user@example.com within the specified resource group. It helps verify what permissions the user has.
Terminal
az role assignment list --assignee user@example.com --scope /subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/myResourceGroup
Expected OutputExpected
[ { "canDelegate": null, "id": "/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/myResourceGroup/providers/Microsoft.Authorization/roleAssignments/abcdef12-3456-7890-abcd-ef1234567890", "name": "abcdef12-3456-7890-abcd-ef1234567890", "principalId": "11111111-2222-3333-4444-555555555555", "principalType": "User", "roleDefinitionId": "/subscriptions/12345678-1234-1234-1234-123456789abc/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", "scope": "/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/myResourceGroup", "type": "Microsoft.Authorization/roleAssignments" } ]
--assignee - Filters the list to show assignments for this user or service principal.
--scope - Limits the list to assignments within this resource or group.
This command removes the Reader role assignment from the user user@example.com for the specified resource group. It revokes their read access.
Terminal
az role assignment delete --assignee user@example.com --role "Reader" --scope /subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/myResourceGroup
Expected OutputExpected
No output (command runs silently)
--assignee - Specifies the user or service principal whose role assignment will be removed.
--role - Specifies which role assignment to remove.
--scope - Limits the removal to the specified resource or group.
Key Concept

If you remember nothing else from this pattern, remember: RBAC lets you control who can do what by assigning roles with specific permissions to users or services at the right scope.

Common Mistakes
Assigning a role without specifying the correct scope.
The role might be assigned at a broader or unintended level, giving more access than needed.
Always use the --scope flag to limit the role assignment to the exact resource or group.
Using an incorrect or misspelled role name.
The command will fail because the role does not exist or is not recognized.
Use exact role names like "Reader", "Contributor", or "Owner" and check available roles with az role definition list.
Not verifying role assignments after creating or deleting them.
You might think permissions changed when they did not, leading to confusion or security risks.
Use az role assignment list to confirm the current assignments.
Summary
Use az role assignment create to give a user or service a role with specific permissions at a defined scope.
Use az role assignment list to check what roles a user or service has on resources.
Use az role assignment delete to remove roles and revoke permissions when no longer needed.