creating 'contributor' role assignment under scope

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Steps to assign an Azure role

• 3 contributors

Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes the high-level steps to assign Azure roles using the Azure portal , Azure PowerShell , Azure CLI , or the REST API .

Step 1: Determine who needs access

You first need to determine who needs access. You can assign a role to a user, group, service principal, or managed identity. This is also called a security principal .

• User - An individual who has a profile in Microsoft Entra ID. You can also assign roles to users in other tenants. For information about users in other organizations, see Microsoft Entra B2B .
• Group - A set of users created in Microsoft Entra ID. When you assign a role to a group, all users within that group have that role.
• Service principal - A security identity used by applications or services to access specific Azure resources. You can think of it as a user identity (username and password or certificate) for an application.
• Managed identity - An identity in Microsoft Entra ID that is automatically managed by Azure. You typically use managed identities when developing cloud applications to manage the credentials for authenticating to Azure services.

Step 2: Select the appropriate role

Permissions are grouped together into a role definition . It's typically just called a role . You can select from a list of several built-in roles. If the built-in roles don't meet the specific needs of your organization, you can create your own custom roles.

Roles are organized into job function roles and privileged administrator roles.

Job function roles

Job function roles allow management of specific Azure resources. For example, the Virtual Machine Contributor role allows a user to create and manage virtual machines. To select the appropriate job function role, use these steps:

Begin with the comprehensive article, Azure built-in roles . The table at the top of the article is an index into the details later in the article.

In that article, navigate to the service category (such as compute, storage, and databases) for the resource to which you want to grant permissions. The easiest way to find what your looking for is typically to search the page for a relevant keyword, like "blob", "virtual machine", and so on.

Review the roles listed for the service category and identify the specific actions you need. Again, always start with the most restrictive role.

For example, if a security principal needs to read blobs in an Azure storage account, but doesn't need write access, then choose Storage Blob Data Reader rather than Storage Blob Data Contributor (and definitely not the administrator-level Storage Blob Data Owner role). You can always update the role assignments later as needed.

If you don't find a suitable role, you can create a custom role .

Privileged administrator roles

Privileged administrator roles are roles that grant privileged administrator access, such as the ability to manage Azure resources or assign roles to other users. The following roles are considered privileged and apply to all resource types.

For best practices when using privileged administrator role assignments, see Best practices for Azure RBAC . For more information, see Privileged administrator role definition .

Step 3: Identify the needed scope

Scope is the set of resources that the access applies to. In Azure, you can specify a scope at four levels: management group , subscription, resource group , and resource. Scopes are structured in a parent-child relationship. Each level of hierarchy makes the scope more specific. You can assign roles at any of these levels of scope. The level you select determines how widely the role is applied. Lower levels inherit role permissions from higher levels.

When you assign a role at a parent scope, those permissions are inherited to the child scopes. For example:

• If you assign the Reader role to a user at the management group scope, that user can read everything in all subscriptions in the management group.
• If you assign the Billing Reader role to a group at the subscription scope, the members of that group can read billing data for every resource group and resource in the subscription.
• If you assign the Contributor role to an application at the resource group scope, it can manage resources of all types in that resource group, but not other resource groups in the subscription.

It's a best practice to grant security principals the least privilege they need to perform their job. Avoid assigning broader roles at broader scopes even if it initially seems more convenient. By limiting roles and scopes, you limit what resources are at risk if the security principal is ever compromised. For more information, see Understand scope .

Step 4: Check your prerequisites

To assign roles, you must be signed in with a user that is assigned a role that has role assignments write permission, such as Role Based Access Control Administrator at the scope you are trying to assign the role. Similarly, to remove a role assignment, you must have the role assignments delete permission.

• Microsoft.Authorization/roleAssignments/write
• Microsoft.Authorization/roleAssignments/delete

If your user account doesn't have permission to assign a role within your subscription, you see an error message that your account "does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write'." In this case, contact the administrators of your subscription as they can assign the permissions on your behalf.

If you are using a service principal to assign roles, you might get the error "Insufficient privileges to complete the operation." This error is likely because Azure is attempting to look up the assignee identity in Microsoft Entra ID and the service principal cannot read Microsoft Entra ID by default. In this case, you need to grant the service principal permissions to read data in the directory. Alternatively, if you are using Azure CLI, you can create the role assignment by using the assignee object ID to skip the Microsoft Entra lookup. For more information, see Troubleshoot Azure RBAC .

Step 5: Assign role

Once you know the security principal, role, and scope, you can assign the role. You can assign roles using the Azure portal, Azure PowerShell, Azure CLI, Azure SDKs, or REST APIs.

You can have up to 4000 role assignments in each subscription. This limit includes role assignments at the subscription, resource group, and resource scopes. You can have up to 500 role assignments in each management group. For more information, see Troubleshoot Azure RBAC limits .

Check out the following articles for detailed steps for how to assign roles.

• Assign Azure roles using the Azure portal
• Assign Azure roles using Azure PowerShell
• Assign Azure roles using Azure CLI
• Assign Azure roles using the REST API
• Tutorial: Grant a user access to Azure resources using the Azure portal

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

RBAC in Azure: A Practical Guide

What is azure rbac.

Azure role-based access control (Azure RBAC) enables access management for Azure resources. It’s an authorization system built into the Azure Resource Manager. You can use Azure RBAC to define which specific users should be allowed access to Azure cloud resources and assign a set of privileges for each user group. Let’s learn more about the specifics.

Azure RBAC vs Azure ABAC

As mentioned earlier, Azure RBAC allows you to manage access to Azure resources, defining what users can do with resources and their access areas. It lets you use role definitions and role assignments to control access. However, it does not offer fine-grained access management and can be difficult when managing hundreds of role assignments.

Azure attribute-based access control (ABAC) works differently.

Azure ABAC allows you to add role assignment conditions to achieve fine-grained access control. It builds on Azure RBAC, letting you add attributes for specific actions. Each role assignment condition provides an additional, optional check to a role assignment. Once you set it up, the condition can filter down permissions provisioned as a part of the role definition and assignment. 

Azure RBAC Concepts

Azure rbac roles.

In Azure RBAC, a role definition is a set of permissions (role). It defines users’ actions, such as write, delete, and read. You can define high-level roles, such as an owner, or specific roles, such as a virtual machine (VM) reader.

Azure provides various built-in roles, including a virtual machine contributor role that allows users to create and manage VMs. If the built-in roles do not satisfy your requirements, you can also define Azure custom roles. You can use data actions to grant access to data stored in a specific object. 

The term scope refers to a set of resources with specific access. It enables you to grant the relevant security principal to a certain role. Limiting the scope means limiting the scope of resources at risk if the security principal is compromised.

Azure RBAC lets you specify a scope at four levels, including a management group level, a subscription level, a resource group level, and a resource level. Azure structures scopes in a parent-child relationship, with each hierarchy level making the scope more specific. It lets you assign roles at any of the four levels. However, note that the level you choose determines how the role is applied. 

Azure also lets you use management groups, a level of scope above subscriptions. However, management groups support complex hierarchies. The diagram below illustrates an example of a hierarchy of management groups and subscriptions.

Role Assignments

Role assignments enable you to attach role definitions to specific users, groups, service principals, or managed identities at a certain scope. When creating a role assignment, you grant specific access, and removing the assignment revokes this access.

Here is a diagram that illustrates an example of a role assignment: 

This example assigns a contributor role to the marketing group—only for the pharma-sales resource group. It enables all users in the marketing group to create or manage Azure resources in the pharma-sales resource group. However, it does not provide marketing users with access to resources external to the pharma-sales resource group.

Azure Groups

Role assignments are transitive for groups, allowing users to gain permissions assigned to groups. If user A is a member of group B and group B is a member of group C with its own role assignment, user A gets the permissions in group C’s role assignment.

Azure RBAC uses an additive model to prevent issues when users get several overlapping role assignments. You can see an example of this principle in the image below. A certain user is granted a reader role by a resource group and a contributor role at the subscription level. The sum of the reader and contributor permissions is the contributor role. The reader role assignment has no impact.

Best Practices for Azure RBAC

Only grant the access users need.

With Azure RBAC, you can create isolation between different teams, granting each team only the access they need to get the job done. 

Instead of granting unlimited permissions to everyone with an Azure subscription or resource, you can only allow specific actions within specific scopes. Avoid assigning broad roles, even if they seem more convenient at first. When you create a custom role, include only the permissions your users need. This ensures that there’s less risk if a principal account is compromised.

The following diagram shows the recommended pattern for granting permissions in Azure RBAC.

Use Azure AD Privileged Identity Management

To protect privileged accounts from malicious cyberattacks, Azure Active Directory Privileged Identity Management (PIM) can be used to reduce privilege issuance time and improve visibility through reports and alerts. PIM helps protect privileged accounts by providing temporary privileged access to Azure AD and Azure resources. Access is time-limited, after which privileges are automatically revoked.

Assign Roles Using Unique Role ID Instead of the Role Name

Role names may change over time, but the role ID always stays the same. Some common examples of changes to role names is when you are using your own custom role and decide to change the name, or when you are using a preview role that has (Preview) in the name. When the role is released from preview, it is automatically renamed.

To ensure consistency over time, it is a good idea to always assign users to a role ID when assigning roles using scripting or automation. This way, scripts won’t break if the name changes in the future. 

Assign Roles to Groups and Limit Subscription Owners

To make it easier to manage role assignments, do not assign roles directly to users. Instead, assign roles to groups. Assigning roles to groups instead of users minimizes the number of role assignments. Note that Azure imposes restrictions on the total role assignments allowed per subscription.

Microsoft recommends having a maximum of 3 owners for each Azure subscription, to reduce the likelihood of a breach by a compromised or malicious insider.

Cloud RBAC with Frontegg

Frontegg provides out of the box RBAC model implementation. Customers can now create their own roles and permissions which represent their product models and use cases. Additionally, Frontegg empowers the end users to create custom roles to represent their permissions model, without having to change a single line of code in the product. Sounds too good to be true? Try it out now.  

Looking to take your User Management to the next level?

Rate this post

4.8 / 5. 1355

No reviews yet

Full Solution, Easy Migration

Privacy overview.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

What is the default RBAC scope used when assigning a role in Azure with the CLI?

This is the documentation for the az role assignment create command: https://docs.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-create

--score is an optional parameter. This is what the documentation says about it:

Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

As you can see, it doesn't say what the default value for this parameter is. I can't find it anywhere, so I found myself forced to ask here.

• I can't select my own answer as the correct one because I have to wait 2 days, but that's the correct answer anyways. –  Adrian Jan 22, 2022 at 4:25

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-cli#step-4-assign-role

Apparently, when the --scope parameter is not provided its value depends on whether the --resource-group parameter is provided or not. If you provide that parameter, then it's like if you specified the resource group scope. Else, the subscription scope is assumed.

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged azure entra-id azure-cli ..

• The Overflow Blog
• Controlling cloud costs: Where to start, and where to go from there sponsored post
• Will antitrust suits benefit developers?
• Featured on Meta
• New Focus Styles & Updated Styling for Button Groups
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network

Hot Network Questions

• Victim Anonymity in Criminal Proceedings
• How to create sublists of a list based on the relation between their elements?
• Is there a way to stop students using AI to generate essays?
• Origin of (variant) Axiom 10 in Euclid's Elements
• What is erroneous behavior? How is it different from undefined behavior?
• What if you "don't understand" your Miranda rights?
• Can anyone tell what's breaking with this suspended ceiling?
• Prove "Vertex Cover OR Clique" is NP complete
• Execute two statements with a small difference between them
• Why does Donald die so frequently?
• Map key with value as standard
• I am getting sensitive emails from a project, of which I am no longer a part of
• What should be the standard procedure for covering the expense in the case of independent research publications for a PhD student?
• What is the connection between Y-H-V-H's battle with the dragon and creation in Psalms 74?
• Statistics: is being a crew on airliners overall roughly as dangerous as driving daily?
• Why do we need to divide lexing and parsing stages
• Was the MS-DOS window in Windows 95 an emulator like current DOSBox?
• Question regarding the completeness theorem and ZFC
• Asked to cite papers for money
• Output of OR-gate when inputs are active but gate is not powered
• Identifying two definitions of orientation on a vector space
• How to match beginig of file name via htaccess
• Should a footnote number be placed after a plural's S?
• How to install a curtain rod with a perpendicular wall on one side

Search code, repositories, users, issues, pull requests...

Provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Instructions to generate the creds use deprecated CLI option '--sdk-auth' #40

phillipleblanc commented Nov 30, 2021

github-actions bot commented Dec 14, 2021

Sorry, something went wrong.

erik-ha-msft commented Jan 5, 2022

Github-actions bot commented jan 20, 2022.

OliverMKing commented Feb 3, 2022 • edited

OliverMKing commented Feb 9, 2022

• ❤️ 2 reactions

No branches or pull requests

• Español – América Latina
• Português – Brasil
• GKE Enterprise
• Documentation
• GKE on Azure

Create Azure role assignments

In this section, you grant permissions to GKE on Azure to access Azure APIs.

To save your service principal and subscription IDs to a shell variable, run the following command. Replace APPLICATION_NAME with a name for your application.

Assign permissions to the service principal. GKE on Azure requires permissions to provision required roles for the managed Azure resources at the subscription level.

To create a custom role with required subscription scoped permissions:

Create a new file named RoleAssignmentCreator.json .

Open RoleAssignmentCreator.json in an editor and add the following permissions:

Create the new custom role with the following command:

Assign the role to the service principal using the following command:

When assigning permissions, you can scope them either at the Azure subscription level, which applies to all resources within the subscription, or at the resource group level, which limits permissions to a specific resource group.

Subscription

Assign the Contributor, User Access Administrator, and Key Vault Administrator roles to your subscription:

Resource group

Create Role assignments scoped to the cluster resource group. Replace CLUSTER_RESOURCE_GROUP_NAME with the name of the resource group for your GKE on Azure.

If your Azure Virtual Network is in a different resource group, create Role assignments scoped to the virtual network resource group.

Replace the following:

• VNET_RESOURCE_GROUP_NAME : the name for the resource group for your GKE on Azure VNet

What's next

• Create a client certificate

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2024-03-28 UTC.

Create a service principal

The installation of OpenShift® Container Platform requires the creation of Microsoft Azure resources through the Azure Resource Manager. To facilitate this, you must create a service principal.

About this task

Create the service principal for your account and assign it to the Contributor role by issuing this command:

For example,

The output should be similar to:

From this output, record the values of the appId and password parameters. These will be required during OpenShift Container Platform installation (including creating of the OpenShift Container Platform installation file).

To delete the service principal and its identity, issue these commands:

To determine the subscription ID for use in the delete command, follow these steps:

• Log in to Azure at https://portal.azure.com/?fromAccountsPortal=true#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AppAppsPreview .
• Type Enterprise Applications in the search bar.
• Select All Applications in the Application Type menu.
• Click Apply .
• Search for the application name, for example gi300 .
• Click the name to open its page.
• Select Properties in the left panel.
• Record the value of the subscription ID .

• HashiCorp Developer
• HashiCorp Cloud Platform

Build infrastructure

• Terraform Terraform

In this tutorial, you will create a Terraform configuration to deploy an Azure resource group. This resource group is the foundation for the infrastructure you will build in the subsequent tutorials.

Prerequisites

• An Azure subscription. If you do not have an Azure account, create one now . This tutorial can be completed using only the services included in an Azure free account .

If you are using a paid subscription, you may be charged for the resources needed to complete the tutorial.

Terraform 0.14.9 or later

The Azure CLI Tool installed

Install the Azure CLI tool

You will use the Azure CLI tool to authenticate with Azure.

Open your PowerShell prompt as an administrator and run the following command:

Homebrew is a free and open-source package management system for Mac OS X.

Install the Azure CLI formula from the terminal.

Authenticate using the Azure CLI

Terraform must authenticate to Azure to create infrastructure.

In your terminal, use the Azure CLI tool to setup your account permissions locally.

Your browser will open and prompt you to enter your Azure login credentials. After successful authentication, your terminal will display your subscription information.

Find the id column for the subscription account you want to use.

Once you have chosen the account subscription ID, set the account with the Azure CLI.

Create a Service Principal

Next, create a Service Principal. A Service Principal is an application within Azure Active Directory with the authentication tokens Terraform needs to perform actions on your behalf. Update the <SUBSCRIPTION_ID> with the subscription ID you specified in the previous step.

Set your environment variables

HashiCorp recommends setting these values as environment variables rather than saving them in your Terraform configuration.

In your Powershell terminal, set the following environment variables. Be sure to update the variable values with the values Azure returned in the previous command.

In your terminal, set the following environment variables. Be sure to update the variable values with the values Azure returned in the previous command.

For more information on Service Principal authentication, visit the Azure provider documentation .

Write configuration

Create a folder called learn-terraform-azure .

Create a directory called learn-terraform-azure .

Change into the new directory.

Create a new file called main.tf and paste the configuration below.

The location of your resource group is hardcoded in this example. If you do not have access to the resource group location westus2 , update the main.tf file with your Azure region .

This is a complete configuration that Terraform can apply. In the following sections you will review each block of the configuration in more detail.

Terraform Block

The terraform {} block contains Terraform settings, including the required providers Terraform will use to provision your infrastructure. For each provider, the source attribute defines an optional hostname, a namespace, and the provider type. Terraform installs providers from the Terraform Registry by default. In this example configuration, the azurerm provider's source is defined as hashicorp/azurerm , which is shorthand for registry.terraform.io/hashicorp/azurerm .

You can also define a version constraint for each provider in the required_providers block. The version attribute is optional, but we recommend using it to enforce the provider version. Without it, Terraform will always use the latest version of the provider, which may introduce breaking changes.

To learn more, reference the provider source documentation .

The provider block configures the specified provider, in this case azurerm . A provider is a plugin that Terraform uses to create and manage your resources. You can define multiple provider blocks in a Terraform configuration to manage resources from different providers.

Use resource blocks to define components of your infrastructure. A resource might be a physical component such as a server, or it can be a logical resource such as a Heroku application.

Resource blocks have two strings before the block: the resource type and the resource name. In this example, the resource type is azurerm_resource_group and the name is rg . The prefix of the type maps to the name of the provider. In the example configuration, Terraform manages the azurerm_resource_group resource with the azurerm provider. Together, the resource type and resource name form a unique ID for the resource. For example, the ID for your network is azurerm_resource_group.rg .

Resource blocks contain arguments which you use to configure the resource. The Azure provider documentation documents supported resources and their configuration options, including azurerm_resource_group and its supported arguments.

Initialize your Terraform configuration

Initialize your learn-terraform-azure directory in your terminal. The terraform commands will work with any operating system. Your output should look similar to the one below.

Format and validate the configuration

We recommend using consistent formatting in all of your configuration files. The terraform fmt command automatically updates configurations in the current directory for readability and consistency.

Format your configuration. Terraform will print out the names of the files it modified, if any. In this case, your configuration file was already formatted correctly, so Terraform won't return any file names.

You can also make sure your configuration is syntactically valid and internally consistent by using the terraform validate command.

Validate your configuration. The example configuration provided above is valid, so Terraform will return a success message.

Apply your Terraform Configuration

Run the terraform apply command to apply your configuration.

This output shows the execution plan and will prompt you for approval before proceeding. If anything in the plan seems incorrect or dangerous, it is safe to abort here with no changes made to your infrastructure. Type yes at the confirmation prompt to proceed.

Navigate to the Azure portal in your web browser to validate the resource group.

Inspect your state

When you apply your configuration, Terraform writes data into a file called terraform.tfstate . This file contains the IDs and properties of the resources Terraform created so that it can manage or destroy those resources going forward. Your state file contains all of the data in your configuration and could also contain sensitive values in plaintext, so do not share it or check it in to source control.

For teams or larger projects, consider storing your state remotely . Remote stage storage enables collaboration using Terraform but is beyond the scope of this tutorial.

Inspect the current state using terraform show .

When Terraform created this resource group, it also gathered the resource's properties and meta-data. These values can be referenced to configure other resources or outputs, which you will encounter in later tutorials.

To review the information in your state file, use the state command. If you have a long state file, you can see a list of the resources you created with Terraform by using the list subcommand.

If you run terraform state , you will see a full list of available commands to view and manipulate the configuration's state.

For more detail on the concepts used in this tutorial:

• Read about the Terraform configuration language in the Terraform documentation .
• Learn more about Terraform providers .
• Review usage examples of the Terraform Azure provider from Terraform provider engineers