what is role assignment in azure

Azure RBAC: role assignments and ARM templates

This post is about Azure's role assignments and ARM templates. Role assignments can be thought of as "permissions for Azure".

If you're deploying to Azure, there's a good chance you're using ARM templates to do so. Once you've got past "Hello World", you'll probably find yourself in a situation when you're deploying multiple types of resource to make your solution. For instance, you may be deploying an App Service alongside Key Vault and Storage .

One of the hardest things when it comes to deploying software and having it work, is permissions. Without adequate permissions configured, the most beautiful code can do nothing . Incidentally, this is a good thing. We're deploying to the web; many people are there, not all good. As a different kind of web-head once said:

Azure has great power and suggests you use it wisely .

Access management for cloud resources is critical for any organization that uses the cloud. Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. Designating groups or individual roles responsible for specific functions in Azure helps avoid confusion that can lead to human and automation errors that create security risks. Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access.

This is good advice. With that in mind, how can we ensure that the different resources we're deploying to Azure can talk to one another?

Role (up for your) assignments ​

The answer is roles. There's a number of roles that exist in Azure that can be assigned to users, groups, service principals and managed identities. In our own case we're using managed identity for our resources. What we can do is use "role assignments" to give our managed identity access to given resources. Arturo Lucatero gives a great short explanation of this:

Whilst this explanation is delightfully simple, the actual implementation when it comes to ARM templates is a little more involved. Because now it's time to talk "magic" GUIDs. Consider the following truncated ARM template, which gives our managed identity (and hence our App Service which uses this identity) access to Key Vault and Storage:

Let's take a look at these three variables:

The three variables above contain the subscription resource ids for the roles Storage Blob Data Contributor , Key Vault Secrets Officer and Key Vault Crypto Officer . The first question on your mind is likely: "what is ba92f5b4-2d11-453d-a403-e96b0029c9fe and where does it come from?" Great question! Well, each of these GUIDs represents a built-in role in Azure RBAC. The ba92f5b4-2d11-453d-a403-e96b0029c9fe represents the Storage Blob Data Contributor role.

How can I look these up? Well, there's two ways; there's an article which documents them here or you could crack open the Cloud Shell and look up a role by GUID like so:

Or by name like so:

As you can see, the Actions section of the output above (and in even more detail on the linked article ) provides information about what the different roles can do. So if you're looking to enable one Azure resource to talk to another, you should be able to refer to these to identify a role that you might want to use.

Creating a role assignment ​

So now we understand how you identify the roles in question, let's take the final leap and look at assigning those roles to our managed identity. For each role assignment, you'll need a roleAssignments resource defined that looks like this:

Let's go through the above, significant property by significant property (it's also worth checking the official reference here ):

• type - the type of role assignment we want to create, for a key vault it's "Microsoft.KeyVault/vaults/providers/roleAssignments" , for storage it's "Microsoft.Storage/storageAccounts/providers/roleAssignments" . The pattern is that it's the resource type, followed by "/providers/roleAssignments" .
• dependsOn - before we can create a role assignment, we need the service principal we desire to permission (in our case a managed identity) to exist
• properties.roleDefinitionId - the role that we're assigning, provided as an id. So for this example it's the keyVaultCryptoOfficer variable, which was earlier defined as [subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')] . (Note the use of the GUID)
• properties.principalId - the id of the principal we're adding permissions for. In our case this is a managed identity (a type of service principal).
• properties.scope - we're modifying another resource; our key vault isn't defined in this ARM template and we want to specify the resource we're granting permissions to.
• properties.principalType - the type of principal that we're creating an assignment for; in our this is "ServicePrincipal" - our managed identity.

There is an alternate approach that you can use where the type is "Microsoft.Authorization/roleAssignments" . Whilst this also works, it displayed errors in the Azure tooling for VS Code . As such, we've opted not to use that approach in our ARM templates.

Many thanks to the awesome John McCormick who wrangled permissions with me until we bent Azure RBAC to our will.

• Role (up for your) assignments
• Creating a role assignment

Salesforce , Python , SQL , & other ways to put your data where you need it

Need event music 🎸, azure rbac role assignment faq.

03 Feb 2024 🔖 security tutorial 💬 EN

Table of Contents

The 3 components of an azure rbac role assignment, create an azure rbac role assignment, target scopes, source principal identities, combining several azure rbac role assignments to fulfill a task.

Below are a few frequently asked questions about Azure RBAC Role Assignments.

Many thanks to colleagues who helped me a lot with editing the wording when I wrote a similar document for internal training.

What is an Azure RBAC Role Assignment?

An Azure RBAC Role Assignment , not to be confused with an Entra RBAC Role Assignment , grants a given identity (that is, one that exists within Microsoft Entra ID) permission to perform specific types of actions against a specific “scope” of Azure resource(s).

In the model of access control where authentication (“proving a nonhuman is who it says it is”) and authorization (“proving a given, authenticated nonhuman is permitted to do what it is trying to do”) , an Azure RBAC Role Assignment helps solve problems related to authorization . 🔐

Microsoft Entra ID , or “Entra” for short, is the new name for what was known as “Azure Active Directory” or “AAD.”

An Azure RBAC Role Assignment is a named Azure resource whose purpose is to describe a junction of three other Azure or Entra resource IDs:

• An  Azure RBAC “role”   (whether “built-in” and maintained by Microsoft or “custom” and maintained by your company) that authorizes actions such as “write files to Azure Blob Storage.”
• (Often simply set to “/” to represent the entire Entra tenant.)
• Usually, the “principal” with Azure RBAC would represent a non-human.
• Protecting the human’s Azure RBAC Role Assignment with Entra Privileged Identity Management (“PIM”) is an excellent practice in this case.
• Consult with colleagues before requesting resource locks, because  locking resources may impede productivity in unexpected ways .
• Also note that if you are having trouble performing actions you expected to be able to perform, given your existing Azure RBAC Role Assignments, check if existing resource locks might be the obstacle.

See “ Assign Azure roles ” on Microsoft Learn.

In a corporate environment, you might not be allowed to do it yourself. Hopefully, your help desk ticketing system has a ticket type that you can open to request that an Azure RBAC Role Assignment be created/edited/deleted on your behalf.

Best practices

Follow the principle of least privilege when requesting the creation of Azure RBAC Role Assignments when choosing all 3 components (role, target scope, and principal) .

When in doubt, create more role assignments, not broader Role Assignments.

Carefully look through Microsoft’s “built-in”  Azure RBAC roles  to find the least-powerful role that can perform a necessary task. For example:

• “Website Contributor”  instead of the more powerful “Contributor” for deployment automations that need to deploy code onto Azure App Service, Azure Static Web Apps, Azure Functions, etc.
• “Data Factory Contributor”  instead of the more powerful “Contributor” for deployment automations that need to deploy Azure Data Factory configuration from a “lower” nonproduction environment into a “higher” nonproduction or production environment.
• “Storage Blob Data Reader”  instead of the more powerful “Reader” for Azure resources, deployment automations, or humans that need to read files out of Azure Blob Storage resources.
• “Storage Blob Data Contributor”  instead of the more powerful “Contributor” for Azure resources, deployment automations, or humans that need to perform “write” operations against Azure Blob Storage resources.

Once an appropriately capable Azure RBAC role has been selected, it can be assigned to work  against  the following scopes in Azure:

• Preferred when resources are stable.
• As long as capabilities are tightly scoped – e.g. “Website Contributor” – this might provide a good balance between safety and convenience if a resource group encapsulates a single workload where appropriate target Azure resources – such as Azure Functions – are constantly being added and/or removed, and waiting for RBAC role assignment against each new function would critically impede productivity.
• With a slow rate of change, however, individual resource-by-resource assignment may still be preferred for the comfort of knowing explicitly which Azure resources are targets of which Entra identities’ capabilities, rather than guessing based on each RBAC role’s documentation.
• Questions about infosec tradeoffs between the context of “least privilege” and “ease of maintenance” / “governance?” Colleagues helping you design your solution, and staff on your company’s infosec team, are excellent resources for striking the correct balance amongst various infosec concerns.
• By default, avoid this. “Subscription” is likely far too broad for common corporate approaches to grouping Azure resources .

Once an appropriately capable RBAC role and narrow target scope has been chosen, the assignment must be attached to a specific Entra identity. Examples include:

• A single Azure resource’s  System-Assigned Managed Identity (“SMI”)
• (Only when SMI is not available, and preferably using Federated Identity Credentials to log into it over OIDC if being used with Azure DevOps Pipelines or GitHub Actions code deployment automations.)
• (Either way, preferably only allowed while privileges are elevated through PIM.)

To adhere to the security principle of least privilege, more than one Azure RBAC Role Assignment may need to be created to fulfill the permissions requirements of a given workload.

For example, a workload’s design may require the creation of:

• A “ Website Contributor ” Azure RBAC Role Assignment allowing the  Entra App Registration representing a code deployment automation  to deploy code onto a  nonproduction Azure App Service  resource.
• A “ Storage Blob Data Contributor ” Azure RBAC Role Assignment allowing the  SMI of a nonproduction Azure App Service  resource to read and write against a  nonproduction Storage Blob’s  files.
• A “ Storage Blob Data Contributor ” Azure RBAC Role Assignment allowing the  Entra group ID representing humans in a certain department  to manually read and write a  nonproduction Storage Blob’s  files.
• 3 more  Azure RBAC Role Assignments  as listed above  but  scoped for production target resources .

• Role Assignment using Azure Portal

Return to AZ-104 Tutorial

Before you learn to add or remove Azure role assignments using the Azure portal, it is very important to understand Azure Role-Based Access Control (RBAC). We may define Azure role-based access control (RBAC) is an authorization system that can be used to manage access to Azure resources. Now in order to grant access, you are required to assign roles to users, groups, service principals, or managed identities at a particular scope.

Prerequisites of Assigning Roles :

In order to add or remove role assignments, we are required are –

• Microsoft.Authorization/roleAssignments/write
• Microsoft.Authorization/roleAssignments/delete permissions (From User Access Administrator or Owner)

Access control (IAM)

IAM (Identity and Access Management) is a specified page for assigning roles and granting access to Azure resources. In the Azure portal, Access Control is also known as identity and access management.

Steps to Add a Role Assignment

In Azure role-based access control (RBAC), in order to grant access to an Azure resource, you must add a role assignment. We shall now discuss the steps to add a role assignment.

• First Step – In the Azure portal, we will click on All services and then select the scope that we want to grant access to namely, Management groups, Subscriptions, Resource groups, or a resource.
• Second Step – We should then Click the specific resource for that scope.
• Third Step – Now Click Access control (IAM).
• Fourth Step – In this step we will click the Role assignments tab to view the role assignments at this scope.
• Fifth Step – Now Click Add > Add role assignment. But in case you do not have permissions to assign roles, the Add role assignment option will be disabled.
• Sixth Step – In the Role drop-down list, select a role such as Virtual Machine Contributor.
• Seventh Step – In this step we will select a user, group, service principal, or managed identity. Then in the Select list, in case, we do not find the security principal in the list, next we can type in the Select box to search the directory for display names, email addresses, and object identifiers.
• Eighth Step – Click Save to assign the role. After a few moments, the security principal is assigned the role at the selected scope.

Steps to Add a role assignment for a managed identity

In this topic, we will describe an alternate way to add role assignments for a managed identity. Thereby, using these steps, you start with the managed identity and then select the scope and role.

• Firstly, in the Azure portal, open a system-assigned managed identity.
• Then, in the left menu, click Identity.
• Next, under Permissions, click Azure role assignments. If roles are already assigned to the selected system-assigned managed identity, you see the list of role assignments. This list includes all role assignments you have permission to read.
• Now, to change the subscription, click the Subscription list.
• Then click Add role assignment (Preview).
• In this step, use the drop-down lists to select the set of resources that the role assignment applies to such as Subscription, Resource Group, or resource. But in case you do not have role assignment write permissions for the selected scope, then an inline message will be displayed.
• Select a role such as Virtual Machine Contributor, in the Role drop-down list.
• Lastly, Click Save to assign the role.

Steps to Remove a Role Assignment

In order to remove access from an Azure resource, in Azure RBAC we must remove a role assignment.

• The first step we will first Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.
• In the second step, click the Role assignments tab to view all the role assignments for this subscription.
• Next in the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.
• Now Click Remove.
• Lastly, in the remove role assignment message that appears, click Yes.

Note – Any message displaying that inherited role assignments cannot be removed, indicates that you are trying to remove a role assignment at a child scope. In this case, you must open Access control (IAM) at the scope where the role was assigned and then try again.

Reference:  Microsoft Documentation

Prepare for Assured Success

Microsoft AZ-104: Azure Blob Storage Access Control with Role Assignments and Conditions

By: Author Alex Lim

Posted on Last updated: July 11, 2024

Home > Microsoft AZ-104: Azure Blob Storage Access Control with Role Assignments and Conditions

Learn how to manage user access to Azure Blob Storage using role assignments with conditions. Understand the impact of Reader and Owner roles at subscription and storage account scopes.

Table of Contents

Explanation

You have an Azure subscription named Sub1 that contains the blob containers shown in the following table.

Sub1 contains two users named User1 and User2. Both users are assigned the Reader role at the Sub1 scope.

You have a condition named Condition1 as shown in the following exhibit.

You have a condition named Condition2 as shown in the following exhibit.

You assign roles to User1 and User2 as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

• User1 can read blob2.
• User1 can read blob3.
• User2 can read blob1.
• User1 can read blob2: No
• User1 can read blob3: Yes
• User2 can read blob1: No

No, User1 cannot read blob2. Explanation: User1 is assigned the Storage Blob Data Reader role at the subscription (Sub1) scope with Condition1. Condition1 allows read access only if the container name is ‘cont1’. Since blob2 is in cont2, User1 does not have read access to it.

Yes, User1 can read blob3. Explanation: Although blob3 is not in cont1, User1 has the Reader role assigned at the subscription (Sub1) scope. This role grants read access to all resources in the subscription, including blob3, regardless of the condition.

No, User2 cannot read blob1. Explanation: User2 is assigned the Storage Blob Data Owner role at the storage1 scope with Condition2. Condition2 allows write access only if the blob path contains ‘2’. Since blob1’s path does not contain ‘2’, User2 does not have read or write access to it, even though they have the Owner role. The condition restricts the Owner permissions.

In summary, role assignments with conditions allow fine-grained access control to Azure Blob Storage. The scope of the role assignment and the specific conditions determine the effective permissions for each user.

Microsoft AZ-104 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Microsoft AZ-104 exam and earn Microsoft AZ-104 certification.

Manage Azure Role Assignments Like a Pro with PowerShell

Today’s blog post is a little bit different. I have a couple of examples of how you can use PowerShell snippets and simple commandlets to get or set role assignmnets in your Azure Subscriptions.

PowerShell examples for managing Azure Role assignments

List all role assignments in a subscription, get all role assignments for a specific resource group, get all role assignments for a specific user, add a role assignment to a user, remove a role assignment for a user, remove all role assignments for a specific user, list all built-in roles, list all custom roles, create a custom role, update a custom role, delete a custom role, list all users or groups assigned to a specific role, list all permissions granted by a specific role, list all resource groups that a user has access to, create a role assignment for a service principal, powershell script to manage azure role assignments.

And now there is a script that combines some of these examples into one usable function:

I hope this was useful. Let me know if you liked the format of this blog and if you want me to include more of these examples.

Vukasin Terzic

Recent Update

• Writing your first Azure Terraform Configuration
• Transition from ARM Templates to Terraform with AI
• Getting started with Terraform for Azure
• Terraform Configuration Essentials: File Types, State Management, and Provider Selection
• Dynamically Managing Azure NSG Rules with PowerShell

Trending Tags

Retrieve azure resource group cost with powershell api.

The Future Of Azure Governance: Trends and Predictions

Further Reading

In my previous blog posts, I wrote about how simple PowerShell scripts can help speed up daily tasks for Azure administrators, and how you can convert them to your own API. One of these tasks is...

Azure Cost Optimization: 30 Ways to Save Money and Increase Efficiency

As organizations continue to migrate their applications and workloads to the cloud, managing and controlling cloud costs has become an increasingly critical issue. While Azure provides a robust s...

Custom PowerShell API for Azure Naming Policy

To continue our PowerShell API series, we have another example of a highly useful API that you can integrate into your environment. Choosing names for Azure resources can be a challenging task. ...

Azure Role Assignments with Constraints

If you’ve worked in Azure, you have definitely come across managing access using Role Based Access Control (RBAC) and have been met with different challenges. Until recently, the RBAC model in Azure has been missing a key piece: the ability to enforce constraints on the delegation of role assignments. This missing piece has led to a less than ideal user experience for those managing Azure resources. Fortunately, Azure Role Assignments with Constraints is here, hopefully providing the missing piece to a complete RBAC model in Azure. With this new feature, IT administrators and stakeholders can now easily and securely manage access to Azure resources, greatly improving the experience for all parties.

Role based access control

In most Azure environments I’ve worked in, IT rarely assigns Owner or User Access Administrator to stakeholders; instead, they’re the gatekeepers for giving out permissions to resources. This often leads to tickets being placed with IT and long wait times for new stakeholders to start consuming services in Azure, and most often the actual teams have more knowledge of who should have access to a resource than IT has.

This will most likely lead to frustration as developers will have problems fully setting up an application or service. For example, a developer creates an Azure Function with a Managed Identity that requires Storage Blob Data Contributor to a Storage Account, but they’re not able to assign any roles for that identity.

On the other hand, if given full permissions, someone inexperienced with Azure or someone who doesn’t value security may end up exposing the environment to security risks. I think we can all agree the model isn’t all there yet.

How it works today

Delegate role assignments with constraints.

With this new feature, we can instead delegate Dara the ability to assign only certain roles and principal types. For example, we can allow Dara and their team members to assign only Service principals the Key Vaults Secrets User and Storage Blob Data Contributor roles. With this in place, the team is now able to create that Azure Function with a Managed Identity and assign it the Storage Blob Data Contributor for any resource inside that subscription.

Constrains example

Getting started.

Click the images to enlarge them

To get started follow the below steps.

At your desired scope, go to the IAM blade and select Add to create a new role assignment.

Select the Privileged administrator roles tab and find the Role Based Access Control Administrator role.

Add the desired User or Group that should be able to delegate roles at the scope.

Select Add condition to define the conditions.

The portal will present three templates that can be used, and in this example I’m using the middle one. It will allow me to target what roles users in the Az_Analytics_Users group can assign, and to what identity types. Opening the advanced condition editor will present the full configuration experience that allows for finer tuning. For example, users can create role assignments, but not delete them.

I want them to be able to assign Key Vaults Secrets User and Storage Blob Data Contributor to Service principals .

Hit save and the configuration will be presented before assignment is made.

That’s it! Users in the group Az_Analytics_Users are now able to assign the roles specified in the expression to Service principals. If they try to assign any other roles they’ll be denied.

We can also configure everything using PowerShell.

Another example

Here I’m using the advanced condition editor. Users are able to assign all roles except Owner and User Access Administrator for all principal types; users, group, and service principals. This is done by negating the expression by ticking the checkbox when configuring what roles can be assigned.

An imporant thing to note here is that when a user assigns a role to another user not already present in the tenant, a guest invitation will be sent out, unless guest invitation is restricted.

Final thoughts

I must say that I find this feature highly appealing, and I firmly believe that it will bring significant benefits to both IT administrators and developers alike. Previously, granting Owner or User Access Administrator permissions often entailed a considerable amount of responsibility for Azure stakeholders, akin to providing them with unrestricted access. However, with this new feature, we can now delegate some of the RBAC assignments to stakeholders, which will ultimately result in reduced wait times and minimize unwarranted frustration.

Further Reading

The Importance of Policy-Driven Governance

In Azure, following a policy-driven approach to governance is crucial. It’s all about making sure that everyone who uses Azure can’t set things up the wrong way. Imagine having a set of clear instr...

What is this Private Endpoint, and where can I buy one? (Part 1)

That’s a good question and something I’m going to try and answer in my first blog series. If you’re like me you’ve probably browsed the Azure Security Center recommendations to get a better underst...

What is this Private Endpoint, and where can I buy one? (Part 2)

In part 1 I gave an introduction on how to set up Private Endpoint and DNS and mentioned that the privatelink DNS zones should be handled centrally by your IT or Azure team. In this post I’ll expan...

Why App Service Environment v3 is Awesome!

A new version of content is available.

Get notified in your email when a new post is published to this blog

Now use role-based access control in Azure Cosmos DB Data Explorer

Meredith Moore

July 2nd, 2024 1 0

Azure Cosmos DB Data Explorer is a web-based tool that allows you to interact with your data, run queries, and visualize results in Azure Cosmos DB. It is available in the Azure Portal and as a standalone web app .

RBAC allows you to use Microsoft Entra ID identities to control data access in Data Explorer, instead of using account keys. This way, you can grant granular permissions to different users and groups and audit their activities. RBAC also enables you to use features such as Entra ID Conditional Access and Entra ID Privileged Identity Management to further protect your data.  It allows for finer-grained access control based on roles, reducing the risk associated with key management and distribution.

Previously, RBAC could only be used with the standalone app, and not directly within the Data Explorer in the Azure portal. Today you have enhanced capabilities, and you can use it within the Data Explorer in the portal and the standalone Data Explorer web app for your Azure Cosmos DB NoSQL accounts.

How to enable RBAC in Data Explorer for NoSQL accounts

The use of RBAC in Data Explorer is controlled by the Enable Entra ID RBAC setting. You can access this setting via the “wheel” icon at the upper right-hand side of Data Explorer.

The setting has three values tailored to your needs:

• Automatic (default): In this mode, RBAC will be automatically used if the account has disabled the use of keys. Otherwise, Data Explorer will use account keys for requests.
• True: In this mode, RBAC will always be used for Data Explorer requests. If the account has not been enabled for RBAC, then the requests will fail.
• False: In this mode, account keys will always be used for Data Explorer requests. If the account has disabled the use of keys, then the requests will fail.

Previously, RBAC was only supported in the Data Explorer standalone web app using a feature enabled link .  This is still supported and will override the value of the Enable Entra ID RBAC setting. Using this query parameter is equivalent to using the ‘Automatic’ mode mentioned above.

How to use RBAC in Data Explorer

Once you have enabled RBAC and assigned roles to your Entra ID identities, you can use Data Explorer to interact with your data. To do so, you need to sign in to Data Explorer with your Entra ID credentials, either in the Azure Portal or in the standalone web app .  You will see a list of Azure Cosmos DB accounts that you have access to, and you can select the one you want to work with. Depending on the role you have been assigned, you can perform different actions in Data Explorer.

RBAC is a powerful feature that enhances the security and governance of your Azure Cosmos Db accounts, by allowing you to use Entra ID identities to control data access. RBAC also enables you to leverage other Entra ID features, such as Conditional Access and Privileged Identity Management, to further protect your data. RBAC is easy to enable and use, and it provides granular and auditable permissions for different users and groups.

Try it out and please share your feedback through the feedback icon in Data Explorer.

Learn more:  Configure role-based access control with Microsoft Entra ID – Azure Cosmos Db | Microsoft Learn

About Azure Cosmos DB

Azure Cosmos DB is a fully managed and serverless distributed database for modern app development, with SLA-backed speed and availability, automatic and instant scalability, and support for open-source PostgreSQL, MongoDB, and Apache Cassandra.  Try Azure Cosmos DB for free here.  To stay in the loop on Azure Cosmos DB updates, follow us on  X ,  YouTube , and  LinkedIn .

Meredith Moore Senior Product Manager, Azure Cosmos DB

Leave a comment Cancel reply

Log in to join the discussion or edit/delete existing comments.

Is this GA?

The options for Enable Entra ID are missing from the blade.

Explorer Version 17754cba05e4d1a156b536dad388f17d83a0ff9b

Insert/edit link

Enter the destination URL

Or link to existing content

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

Azure AD User: Assigned Roles vs Azure Role Assignments

In a specific user's section of Azure AD, there are two menu items that seem to mean the same thing to me even though the data is different. Can someone explain the difference between Assigned Roles and Azure Role Assignments?

• azure-active-directory

Assigned roles are Azure AD administrator roles, for accessing Azure AD and other Microsoft 365 platforms such as Exchange and SharePoint.

Azure AD built-in roles

Azure role assignments (may also be referred to as Azure RBAC roles) are for accessing Azure resources such as virtual machines, storage accounts, subscriptions, etc.

Azure built-in roles

Azure and Azure AD are different terms for 2 distinct platforms

• I think I understand what you are saying but I want to clarify. Can Azure be considered the " classic subscription " and Azure AD the "Current subscription"? Is classic subscription another term for ABAC and Current subscription for RBAC ? –  kevin Commented Nov 11, 2022 at 11:45

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged azure-active-directory or ask your own question .

• Featured on Meta
• We spent a sprint addressing your requests — here’s how it went
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network...
• What makes a homepage useful for logged-in users

Hot Network Questions

• Why does King Aegon speak to his dragon in the Common Tongue (English)?
• Eliminate some numbers so that each of the three rows contains the numbers 1 through 9 each exactly once
• Does the damage from Thunderwave occur before or after the target is moved
• What enforcement exists for medical informed consent?
• A model suffering from omitted variable bias can be said to be unidentified?
• Confusion regarding "since" vs "for"
• How to relocate an outlet forward into a new wall?
• Pattern on a PCB
• French Election 2024 - seat share based on first round only
• Problem computing a limit
• Continued calibration of atomic clocks
• Custom panel is created but does not display properly in custom plug-in
• o y u (or and or)
• Is an employment Conflict of Interest necessary when redundant with my Affiliation?
• As a DM, what should I do if a person decides to play a rogue?
• Time dilation in Einstein's train example (lightning strike)
• What was the first science fiction or fantasy element to appear in any Batman comic?
• Reference about cancellation property for semigroups
• Why are metal ores dredged from coastal lagoons rather than being extracted directly from the mother lode?
• What do American people call the classes that students go to after school for SATs?
• Olympic basketball terms: what does “gutted on the glass and in the paint” mean?
• Equivalence of first/second choice with naive probability - I don't buy it
• Switching Tenure-Track Positions Within Same University
• Can IBM Quantum hardware handle any CSWAP at all?

• Artificial Intelligence
• Generative AI
• Cloud Computing
• Data Management
• Emerging Technology
• Technology Industry
• Software Development
• Microsoft .NET
• Development Tools
• Open Source
• Programming Languages
• Enterprise Buyer’s Guides
• Newsletters
• Foundry Careers
• Terms of Service
• Privacy Policy
• Cookie Policy
• Copyright Notice
• Member Preferences
• About AdChoices
• E-commerce Affiliate Relationships
• Your California Privacy Rights

Our Network

• Computerworld
• Network World

How to work with Azure Key Vault in .NET Core

Azure key vault is a safe and secure place to store the tokens, keys, passwords, certificates, and other sensitive data used in your .net core applications. here’s how to work with it in c#..

When building .NET Core applications, we often make use of various “secrets” such as client IDs, access tokens, passwords, certificates, encryption keys, and API keys. Naturally, we need a secure way to store, manage, and control access to this sensitive data. Azure Key Vault provides a handy, cloud-based solution for this.

In this article, we’ll examine how we can work with Azure Key Vault in C#. To follow along with the code examples provided in this article, you should have Visual Studio 2022 installed in your system. If you don’t already have a copy, you can download Visual Studio 2022 here .

Create a console application project in Visual Studio

First off, let’s create a .NET Core console application project in Visual Studio. Assuming Visual Studio 2022 is installed in your system, follow the steps outlined below to create a new .NET Core console application project.

• Launch the Visual Studio IDE.
• Click on “Create new project.”
• In the “Create new project” window, select “Console App (.NET Core)” from the list of templates displayed.
• Click Next.
• In the “Configure your new project” window, specify the name and location for the new project.
• In the “Additional information” window shown next, choose “.NET 7.0 (Standard Term Support)” as the Framework version you would like to use.
• Click Create.

We’ll use this .NET 7 console application project to work with Azure Key Vault in the subsequent sections of this article.

What is Azure Key Vault?

Azure Key Vault is a cloud-based, secure storage solution that safeguards your application’s secrets or other sensitive data pertaining to your application. Such secrets might be tokens, keys, IDs, passwords, certificates, etc. Azure Key Vault provides a safe, secure, centralized store for secrets, along with strong access controls, eliminating the need for developers to directly manage sensitive data within their applications.

In the sections that follow, we will create a Key Vault, create some secrets, and then read and delete these secrets programmatically.

Create a key vault in Azure

To create a key vault in Azure, follow the steps outlined below.

• From the Azure Portal menu or the Home page, select “Create a resource.”
• Select Key Vault from the list of the resources displayed.
• In the “Create a key vault” screen, specify the subscription, resource group name, region, and pricing tier and leave the other options to their default values.
• Click “Review + Create”
• Review the details entered and then click Create.

Create an app secret in your Azure key vault

Next, you should add a secret to the key vault instance created in the preceding section. To do this, follow the steps outlined below.

• Select Secrets from the Key Vault configuration page.
• Click Generate/Import to add a secret to the key vault.
• Select Manual (the default) from the “Upload options” drop-down menu.
• Specify the name and value of the secret.
• Optionally specify the content type, activation date, and expiration date.

Add roles to access your key vault

To provide access to the secret we created, follow the steps listed below.

• Select “Access control (IAM)” from the Key Vault screen.
• Click “Add role assignment.”
• Select the role you would like to assign from the list of roles displayed.
• Assign access to either “Managed identity” or “User, group, or service principal.”
• Select members to whom the role will be assigned.
• Optionally, specify the description of the role.
• Click “Review + assign.”

Read data from the Azure key vault

Next we create an instance of the DefaultAzureCredential class and pass it as an argument to the SecretClient class. This creates a secret client we can use to connect to and work with Azure Key Vault. When creating an instance of SecretClient, you also should specify the KeyVault URI as shown in the code snippet given below.

Here is the complete code listing for your reference.

Figure 1. When you execute the above program in the console window, it will display your secrets and their values.

Create a new secret in the Azure key vault

You can use the following piece of code to create a new secret and assign it a value in your key vault instance.

You can see the new secret created in the Azure portal as shown in Figure 2 below.

Figure 2. Our new secret displayed in the Key Vault screen of the Azure portal.

Delete a secret from the Azure key vault

The StartDeleteSecret method of the SecretClient class deletes a secret from the Azure Key Vault. You just need to pass the name of the secret you would like to delete as a parameter to this method, as shown in the code snippet below.

If you now browse the Key Vault screen in the Azure portal, you will see that the secret has been deleted.

When you execute the program, you might encounter an Azure.Identity.CredentialUnavailableException. To solve this, from within the Visual Studio IDE, click on Tools -> Options -> Azure Service Authentication. Ensure that you’re signed in using your Azure account credentials.

With Azure Key Vault, you can centrally manage keys and secrets, improve application security and industry compliance, and simplify the management and protection of sensitive data.

Related content

How to use refit to consume apis in asp.net core, when to use an abstract class vs. interface in c#, 6 security best practices for asp.net core, how to implement identity authentication in minimal apis in asp.net core.

Joydip Kanjilal is a Microsoft Most Valuable Professional (MVP) in ASP.NET, as well as a speaker and the author of several books and articles. He received the prestigious MVP award for 2007, 2008, 2009, 2010, 2011, and 2012.

He has more than 20 years of experience in IT, with more than 16 years in Microsoft .Net and related technologies. He has been selected as MSDN Featured Developer of the Fortnight (MSDN) and as Community Credit Winner several times.

He is the author of eight books and more than 500 articles. Many of his articles have been featured at Microsoft’s Official Site on ASP.Net .

He was a speaker at the Spark IT 2010 event and at the Dr. Dobb’s Conference 2014 in Bangalore. He has also worked as a judge for the Jolt Awards at Dr. Dobb's Journal. He is a regular speaker at the SSWUG Virtual Conference , which is held twice each year.

More from this author

How to work with dapper and sqlite in asp.net core, build an authentication handler for a minimal api in asp.net core, how to use the new minimal api features in asp.net core 8, how to implement database connection resiliency in asp.net core, speed up searches using searchvalues in .net, avoid using enums in the domain layer in c#, how to use the repr design pattern in asp.net core, digging deeper into dbcontext in entity framework core, most popular authors.

Show me more

Microsoft moves forward with c# 13, offering overload resolution.

Amazon Bedrock updated with contextual grounding, RAG connectors

Enhancing your cyber defense with Wazuh threat intelligence integrations

How to use dbm to stash data quickly in Python

How to auto-generate Python type hints with Monkeytype

How to make HTML GUIs in Python with NiceGUI

Sponsored Links

• Get Cisco UCS X-Series Chassis and Fabric Interconnects offer.

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Assign Azure roles using Azure PowerShell

• 13 contributors

Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using Azure PowerShell.

We recommend that you use the Azure Az PowerShell module to interact with Azure. To get started, see Install Azure PowerShell . To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az .

Prerequisites

To assign roles, you must have:

• Microsoft.Authorization/roleAssignments/write permissions, such as Role Based Access Control Administrator
• PowerShell in Azure Cloud Shell or Azure PowerShell
• The account you use to run the PowerShell command must have the Microsoft Graph Directory.Read.All permission.

Steps to assign an Azure role

To assign a role consists of three elements: security principal, role definition, and scope.

Step 1: Determine who needs access

You can assign a role to a user, group, service principal, or managed identity. To assign a role, you might need to specify the unique ID of the object. The ID has the format: 11111111-1111-1111-1111-111111111111 . You can get the ID using the Azure portal or Azure PowerShell.

For a Microsoft Entra user, get the user principal name, such as [email protected] or the user object ID. To get the object ID, you can use Get-AzADUser .

For a Microsoft Entra group, you need the group object ID. To get the object ID, you can use Get-AzADGroup .

Service principal

For a Microsoft Entra service principal (identity used by an application), you need the service principal object ID. To get the object ID, you can use Get-AzADServicePrincipal . For a service principal, use the object ID and not the application ID.

Managed identity

For a system-assigned or a user-assigned managed identity, you need the object ID. To get the object ID, you can use Get-AzADServicePrincipal .

Step 2: Select the appropriate role

Permissions are grouped together into roles. You can select from a list of several Azure built-in roles or you can use your own custom roles. It's a best practice to grant access with the least privilege that is needed, so avoid assigning a broader role.

To list roles and get the unique role ID, you can use Get-AzRoleDefinition .

Here's how to list the details of a particular role.

For more information, see List Azure role definitions .

Step 3: Identify the needed scope

Azure provides four levels of scope: resource, resource group , subscription, and management group . It's a best practice to grant access with the least privilege that is needed, so avoid assigning a role at a broader scope. For more information about scope, see Understand scope .

Resource scope

For resource scope, you need the resource ID for the resource. You can find the resource ID by looking at the properties of the resource in the Azure portal. A resource ID has the following format.

Resource group scope

For resource group scope, you need the name of the resource group. You can find the name on the Resource groups page in the Azure portal or you can use Get-AzResourceGroup .

Subscription scope

For subscription scope, you need the subscription ID. You can find the ID on the Subscriptions page in the Azure portal or you can use Get-AzSubscription .

Management group scope

For management group scope, you need the management group name. You can find the name on the Management groups page in the Azure portal or you can use Get-AzManagementGroup .

Step 4: Assign role

To assign a role, use the New-AzRoleAssignment command. Depending on the scope, the command typically has one of the following formats.

Assign role examples

Assign a role for all blob containers in a storage account resource scope.

Assigns the Storage Blob Data Contributor role to a service principal with object ID 55555555-5555-5555-5555-555555555555 and Application ID 66666666-6666-6666-6666-666666666666 at a resource scope for a storage account named storage12345 .

Assign a role for a specific blob container resource scope

Assigns the Storage Blob Data Contributor role to a service principal with object ID 55555555-5555-5555-5555-555555555555 and Application ID 66666666-6666-6666-6666-666666666666 at a resource scope for a blob container named blob-container-01 .

Assign a role for a group in a specific virtual network resource scope

Assigns the Virtual Machine Contributor role to the Pharma Sales Admins group with ID aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa at a resource scope for a virtual network named pharma-sales-project-network .

Assign a role for a user at a resource group scope

Assigns the Virtual Machine Contributor role to [email protected] user at the pharma-sales resource group scope.

Alternately, you can specify the fully qualified resource group with the -Scope parameter:

Assign a role for a user using the unique role ID at a resource group scope

There are a couple of times when a role name might change, for example:

• You are using your own custom role and you decide to change the name.
• You are using a preview role that has (Preview) in the name. When the role is released, the role is renamed.

Even if a role is renamed, the role ID does not change. If you are using scripts or automation to create your role assignments, it's a best practice to use the unique role ID instead of the role name. Therefore, if a role is renamed, your scripts are more likely to work.

The following example assigns the Virtual Machine Contributor role to the [email protected] user at the pharma-sales resource group scope.

Assign a role for an application at a resource group scope

Assigns the Virtual Machine Contributor role to an application with service principal object ID 77777777-7777-7777-7777-777777777777 at the pharma-sales resource group scope.

Assign a role for a user at a subscription scope

Assigns the Reader role to the [email protected] user at a subscription scope.

Assign a role for a user at a management group scope

Assigns the Billing Reader role to the [email protected] user at a management group scope.

• List Azure role assignments using Azure PowerShell
• Tutorial: Grant a group access to Azure resources using Azure PowerShell
• Manage resources with Azure PowerShell

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources