az role assignment create scope

Assigning Service Principals to Groups and Roles with the Azure CLI

The more I use Azure the more often I find myself needing to assign various managed identities / service principals to various groups and roles, and while that can be done in the Portal, it's cumbersome and I'd prefer to automate it.

So in this post I'll sharing a few Azure CLI commands that should prove useful whenever you're configuring Service Principals.

Getting a service principal's object id

Suppose you know the name of the service principal, but not the "object id", which is required for assigning it to groups and roles. You can use a filter with the az ad sp list command to find that service principal and then a query to pick out just the object id.

Note that you should avoid trying to use the query parameter to find the matching name, as that will likely not find it as it only applies to the first page of results .

Note that the object id is different from the app id. If you do need the app id for any reason you just need to change the query parameter:

Adding to a group

Suppose we want to add the service principal to a group. We need the group id to do that, and if we need to look it up, we can do so with the az ad group list command and using a filter .

Then the az ad group member add command allows us to add the object id of our service principal to the group.

Creating a role assignment

If we want to create a role assignment, then as well as knowing the user we're assigning the role to and the name of the role, we also need to provide a " scope " for that to apply to. This is typically a long / delimited path to an Azure resource. So for a KeyVault it might look like this:

You can of course construct this string yourself, but actually this is quite often just the "ID" of the resource as returned by the Azure CLI. So we could get the above value with the following command:

And now that we have the scope, we can simply use the az role assignment create to assign the role to our service principal, and we can pass the role name directly (in this example it's "Key Vault Administrator"):

Hope this proves useful to you.

Using the Azure CLI To Update and Manage User Permissions

The Azure CLI is a great tool for scripting updates to user permissions. In this guide, we'll walk through the basics of roles and groups and the common commands.

If you need to make user permission updates in an automated way, the Azure CLI can be a great option. In this article, we will be outlining the two main sources of user permissions, roles and groups, and how they intersect.

With a combination of roles and groups, you can maintain granular permissions across many different projects while adhering to the principle of least privilege .

Understanding Roles with Azure RBAC

Azure roles are a flexible way to designate user permissions. With Azure RBAC (role-based access control), you can unlock access to certain resources and actions by assigning a user to a certain role, which comes with an accompanying set of permissions.

These are some examples of common built-in roles: 

• Contributor: Can create and manage Azure resources
• Owner: Access to all resources and can extend access to others
• Reader: Can view only existing Azure resources
• User Access Administrator: Can manage access to Azure resources

You can narrow access further by assigning a user with a role in relation to a specific scope (e.g. resource group, application id, etc.). If you need a unique combination of permissions and expect to have similar use cases in the future, you can also create custom roles by providing either a JSON role definition file or a PSRoleDefinition object as input.

Assigning Roles with the Azure CLI

You will likely need to update someone’s role if they are new to your organization or have been assigned to a new project; or inversely, if they are leaving or no longer need access. Here are the steps for making these changes with the Azure CLI.

Adding a Role to a User

To assign a role to a user in Azure, you can use the “ az role assignment create ” command. You have to specify three components, the assignee, the role, and the resource groups or scope of access. In the following example, we’re assigning Reader access (role definition) to user John Smith for the scope of a certain resource group.

Removing a Role from a User

Next, to remove the role from the same user, we would use the “ az role assignment delete ” command. This command uses the exact same parameters:

These commands should enable you to make these role updates manually, or script a repeatable workflow for new employees or new projects.

Understanding Groups in Azure 

In GCP or AWS, Identify Access Management (IAM) groups are a way to extend access and authorization services/APIs to a team. Groups in Azure serve the same purpose, but Azure is slightly different in that groups are created directly using Azure’s Active Directory (AD). 

You can create a new group using the command “ az ad group create ” , and specify a display name and a mail nickname. Here’s an example:

Management of IAM groups in Azure involves the same kinds of tasks you would perform in typical user groups, whether it’s adding or deleting individual users, giving them specific levels of IAM permissions, or managing groups of users as a whole, among many others.

For example, you can assign a group with a certain role for a certain scope or resource group. To do this, you’ll first need to get the object ID for the group using this command:

The object ID will be a string of numbers in this format:

“xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”

Now that you have the group ID, you can use the “ az role assignment create ” command to assign a role to that group:

The combination of user roles and group roles allows for organizations to have a flexible and secure solution for permissions as your company grows or projects change.

Adding or Removing a Users to Groups

If you want to add a user to a group, you’ll need to run the “ az ad group member add ”   command. You will need to plug in values for a group parameter (either the specific group id or display name) and a member-id parameter.

Here is an example of that command:

Removing a member from a group uses the same parameters, and uses the “ az ad group member remove ” command instead:

You can also use the same parameters with the “ az ad group member check ” command to check whether the member was removed from the group.

Automate Permission Updates with Blink

Most likely, as your organization grows, changing and updating permissions and policies will take up more time. Instead of having to look up the specific command for each of these actions, you could use a low-code tool like Blink to handle tasks like this in a couple clicks.

Get started with Blink today to see how easy automation can be.

Automate your security operations everywhere.

Blink is secure, decentralized, and cloud-native. 
Get modern cloud and security operations today.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

What is the default RBAC scope used when assigning a role in Azure with the CLI?

This is the documentation for the az role assignment create command: https://docs.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-create

--score is an optional parameter. This is what the documentation says about it:

Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

As you can see, it doesn't say what the default value for this parameter is. I can't find it anywhere, so I found myself forced to ask here.

• I can't select my own answer as the correct one because I have to wait 2 days, but that's the correct answer anyways. –  Adrian Jan 22, 2022 at 4:25

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-cli#step-4-assign-role

Apparently, when the --scope parameter is not provided its value depends on whether the --resource-group parameter is provided or not. If you provide that parameter, then it's like if you specified the resource group scope. Else, the subscription scope is assumed.

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged azure entra-id azure-cli ..

• The Overflow Blog
• You should keep a developer’s journal
• Would you board a plane safety-tested by GenAI?
• Featured on Meta
• Our Partnership with OpenAI
• What deliverables would you like to see out of a working group?

Hot Network Questions

• Reference request for Bessel function of the second kind with matrix argument
• Square root symbols that don't match
• Why Faonte called "small" and "big" dg-nerves?
• Is it legal to use GPL code in plugins of a proprietary app?
• Story about a huge project in Hell?
• Baker's percentage symbol -- % in a loaf using TikZ
• Is there a problem with having a combined login/register screen?
• Should I remove a reference after applying to job?
• What is the name of the grammatical function of "there" in "there is"?
• Is this a solvable Numberlink?
• What is "soda asbestos"?
• Why does Professer Binns always call students by different names?
• Polygon and trace arrows
• Array aligned with top of item label
• Cold Bee and Old Beer
• How do floating plants get their trace nutrients?
• Does using electricity from the grid in the U.S. result in more greenhouse gas emissions than using propane?
• Alpha Texture Brush isn't working?
• Why would aliens use Kaiju to cause an apocalypse instead of more effective weapons?
• Why don't electrons occupy infinite degenerate states with the same energy?
• Why do people believe that John the Baptist and Jesus never knew one another?
• How to Solve a Linear System of Equations with Absolute Values
• Any trick to installing a double electric wall oven "whip" so it doesn't bunch up but slides backwards when the oven is pushed back into the cabinet?
• Do I have a cleaner way to assign a parametrized json string to a bash variable?

New-AzRoleAssignment

In this Azure PowerShell article, we will discuss the syntax and usage of the New-AzRoleAssignment Azure PowerShell cmdlet with examples.

Table of Contents

Wrapping Up

New-AzRoleAssignment is a very good PowerShell command that you can use to assign an RBAC role to a specific principal for a specified scope. Let’s discuss the Syntax of the New-AzRoleAssignment Azure PowerShell cmdlet.

Below is the syntax of the New-AzRoleAssignment PowerShell command.

Now, let’s discuss some examples of how to use the New-AzRoleAssignment PowerShell command.

You can execute the below Azure PowerShell command to grant a contributor role to the user “[email protected]” under the resource group “MyNewResGrp” scope, and the role assignment is available for delegation.

Below Azure PowerShell cmdlet can help you to grant owner access to the user “[email protected]” to the “TsInfoweb” website.

You may also like following the articles below

• Get-AzRoleAssignment
• Get-AzRoleDefinition

In this Azure PowerShell article, we discussed the syntax and usage of the New-AzRoleAssignment Azure PowerShell cmdlet with examples. Thanks for reading this article !!!

I am Rajkishore, and I have over 14 years of experience in Microsoft Azure and AWS, with good experience in Azure Functions, Storage, Virtual Machine, Logic Apps, PowerShell Commands, CLI Commands, Machine Learning, AI, Azure Cognitive Services, DevOps, etc. Not only that, I do have good real-time experience in designing and developing cloud-native data integrations on Azure or AWS, etc. I hope you will learn from these practical Azure tutorials. Read more .

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Role Assignments - Create

Create or update a role assignment by scope and name.

URI Parameters

Request body, permissions.

To call this API, you must be assigned a role that has the following permissions. For more information, see Azure built-in roles .

Microsoft.Authorization/roleAssignments/write

Azure Active Directory OAuth2 Flow

Type: oauth2 Flow: implicit Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Create role assignment for resource

Sample request.

To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue

Sample Response

Create role assignment for resource group, create role assignment for subscription, definitions, error additional info.

The resource management error additional info.

Error Detail

The error detail.

Error Response

Error response

Principal Type

The principal type of the assigned principal ID.

Role Assignment

Role Assignments

Role Assignment Create Parameters

Role assignment create parameters.

Additional resources

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

az role assignment create --assignee "${PRINCIPAL_ID}" --role 'Contributor' --scope "{RESOURCE_GROUP_ID}" #24701

djohn99 commented Nov 21, 2022

yonzhan commented Nov 22, 2022

Sorry, something went wrong.

jiasli commented Nov 22, 2022

djohn99 commented Nov 22, 2022 • edited

jiasli commented Dec 19, 2022 • edited

No branches or pull requests