Complete the code to assign a role to a user in Azure RBAC.
az role assignment create --assignee [1] --role "Reader" --scope /subscriptions/00000000-0000-0000-0000-000000000000
The --assignee parameter requires the user or service principal's identifier, such as an email or object ID. Here, user@example.com is the correct assignee.
Complete the code to list role assignments for a specific resource group.
az role assignment list --scope [1]The --scope parameter requires the full resource ID. For a resource group, it starts with /subscriptions/.../resourceGroups/ followed by the group name.
Fix the error in the command to remove a role assignment by its ID.
az role assignment delete --ids [1]The --ids parameter requires the full resource ID of the role assignment, which includes the subscription, provider, and role assignment GUID.
Fill both blanks to create a custom role definition with permissions.
{
"Name": "Custom Reader",
"IsCustom": true,
"Description": "Can read resources",
"Actions": [[1]],
"NotActions": [[2]]
}The Actions list should include read permissions like "Microsoft.Resources/subscriptions/resourceGroups/read". The NotActions list excludes write permissions like "Microsoft.Resources/subscriptions/resourceGroups/write" to prevent modification.
Fill all three blanks to assign a built-in role to a service principal at subscription scope.
az role assignment create --assignee [1] --role [2] --scope [3]
The --assignee is the service principal's email or object ID (myServicePrincipal@example.com). The --role is a built-in role like Contributor. The --scope is the subscription resource ID.