Using the Azure CLI To Update and Manage User Permissions
The Azure CLI is a great tool for scripting updates to user permissions. In this guide, we'll walk through the basics of roles and groups and the common commands.
If you need to make user permission updates in an automated way, the Azure CLI can be a great option. In this article, we will be outlining the two main sources of user permissions, roles and groups, and how they intersect.
With a combination of roles and groups, you can maintain granular permissions across many different projects while adhering to the principle of least privilege .
Understanding Roles with Azure RBAC
Azure roles are a flexible way to designate user permissions. With Azure RBAC (role-based access control), you can unlock access to certain resources and actions by assigning a user to a certain role, which comes with an accompanying set of permissions.
These are some examples of common built-in roles:
- Contributor: Can create and manage Azure resources
- Owner: Access to all resources and can extend access to others
- Reader: Can view only existing Azure resources
- User Access Administrator: Can manage access to Azure resources
You can narrow access further by assigning a user with a role in relation to a specific scope (e.g. resource group, application id, etc.). If you need a unique combination of permissions and expect to have similar use cases in the future, you can also create custom roles by providing either a JSON role definition file or a PSRoleDefinition object as input.
Assigning Roles with the Azure CLI
You will likely need to update someone’s role if they are new to your organization or have been assigned to a new project; or inversely, if they are leaving or no longer need access. Here are the steps for making these changes with the Azure CLI.
Adding a Role to a User
To assign a role to a user in Azure, you can use the “ az role assignment create ” command. You have to specify three components, the assignee, the role, and the resource groups or scope of access. In the following example, we’re assigning Reader access (role definition) to user John Smith for the scope of a certain resource group.
Removing a Role from a User
Next, to remove the role from the same user, we would use the “ az role assignment delete ” command. This command uses the exact same parameters:
These commands should enable you to make these role updates manually, or script a repeatable workflow for new employees or new projects.
Understanding Groups in Azure
In GCP or AWS, Identify Access Management (IAM) groups are a way to extend access and authorization services/APIs to a team. Groups in Azure serve the same purpose, but Azure is slightly different in that groups are created directly using Azure’s Active Directory (AD).
You can create a new group using the command “ az ad group create ” , and specify a display name and a mail nickname. Here’s an example:
Management of IAM groups in Azure involves the same kinds of tasks you would perform in typical user groups, whether it’s adding or deleting individual users, giving them specific levels of IAM permissions, or managing groups of users as a whole, among many others.
For example, you can assign a group with a certain role for a certain scope or resource group. To do this, you’ll first need to get the object ID for the group using this command:
The object ID will be a string of numbers in this format:
“xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”
Now that you have the group ID, you can use the “ az role assignment create ” command to assign a role to that group:
The combination of user roles and group roles allows for organizations to have a flexible and secure solution for permissions as your company grows or projects change.
Adding or Removing a Users to Groups
If you want to add a user to a group, you’ll need to run the “ az ad group member add ” command. You will need to plug in values for a group parameter (either the specific group id or display name) and a member-id parameter.
Here is an example of that command:
Removing a member from a group uses the same parameters, and uses the “ az ad group member remove ” command instead:
You can also use the same parameters with the “ az ad group member check ” command to check whether the member was removed from the group.
Automate Permission Updates with Blink
Most likely, as your organization grows, changing and updating permissions and policies will take up more time. Instead of having to look up the specific command for each of these actions, you could use a low-code tool like Blink to handle tasks like this in a couple clicks.
Get started with Blink today to see how easy automation can be.
Automate your security operations everywhere.
Blink is secure, decentralized, and cloud-native. Get modern cloud and security operations today.
- Career Model
- Proactive Mentorship
- Productivity
- Review Model
- Work:Life Balance
- 3D Printing
- Announcements
- Conferences
How to find all the Azure Built-In Roles for Azure RBAC with Azure CLI, PowerShell, Docs, or AzAdvertizer
Here are a bunch of ways you can find which roles are built into Azure. This will come in super handy when you need to assign a role to a service principal or user with Azure CLI commands like this:
- Query the big honking json
- Query all, but only return Name and Id in a nice table
- Filter by name contains:
This one filters for roles with “Map” in the name:
Azure PowerShell
https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azroledefinition?view=azps-3.8.0
This page has all the built in roles: https://docs.microsoft.com/azure/role-based-access-control/built-in-roles
AzAdvertizer
Just found this site today by Julian Hayward. It’s a great way to find roles
https://www.azadvertizer.net/azrolesadvertizer_all.html
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Azure custom roles
- 12 contributors
If the Azure built-in roles don't meet the specific needs of your organization, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at management group, subscription, and resource group scopes.
Custom roles can be shared between subscriptions that trust the same Microsoft Entra tenant. There is a limit of 5,000 custom roles per tenant. (For Microsoft Azure operated by 21Vianet, the limit is 2,000 custom roles.) Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API.
Steps to create a custom role
Here are the basic steps to create a custom role.
Determine the permissions you need.
When you create a custom role, you need to know the actions that are available to define your permissions. Typically, you start with an existing built-in role and then modify it for your needs. You will add the actions to the Actions or NotActions properties of the role definition . If you have data actions, you will add those to the DataActions or NotDataActions properties.
For more information, see the next section How to determine the permissions you need .
Decide how you want to create the custom role.
You can create custom roles using Azure portal , Azure PowerShell , Azure CLI , or the REST API .
Create the custom role.
The easiest way is to use the Azure portal. For steps on how to create a custom role using the Azure portal, see Create or update Azure custom roles using the Azure portal .
Test the custom role.
Once you have your custom role, you have to test it to verify that it works as you expect. If you need to make adjustments later, you can update the custom role.
How to determine the permissions you need
Azure has thousands of permissions that you can potentially include in your custom role. Here are some methods that can help you determine the permissions you will want to add to your custom role:
Look at existing built-in roles .
You might want to modify an existing role or combine permissions used in multiple roles.
List the Azure services you want to grant access to.
Determine the resource providers that map to the Azure services .
Azure services expose their functionality and permissions through resource providers . For example, the Microsoft.Compute resource provider supplies virtual machine resources and the Microsoft.Billing resource provider supplies subscription and billing resources. Knowing the resource providers can help you narrow down and determine the permissions you need for your custom role.
When you create a custom role using the Azure portal, you can also determine the resource providers by searching for keywords. This search functionality is described in Create or update Azure custom roles using the Azure portal .
Search the available permissions to find permissions you want to include.
When you create a custom role using the Azure portal, you can search for permissions by keyword. For example, you can search for virtual machine or billing permissions. You can also download all of the permissions as a CSV file and then search this file. This search functionality is described in Create or update Azure custom roles using the Azure portal .
Custom role example
The following shows what a custom role looks like as displayed using Azure PowerShell in JSON format. This custom role can be used for monitoring and restarting virtual machines.
The following shows the same custom role as displayed using Azure CLI.
Custom role properties
The following table describes what the custom role properties mean.
Property | Required | Type | Description |
---|---|---|---|
| Yes | String | The display name of the custom role. While a role definition is a management group or subscription-level resource, a role definition can be used in multiple subscriptions that share the same Microsoft Entra tenant. This display name must be unique at the scope of the Microsoft Entra tenant. Can include letters, numbers, spaces, and special characters. Maximum number of characters is 512. |
| Yes | String | The unique ID of the custom role. For Azure PowerShell and Azure CLI, this ID is automatically generated when you create a new role. |
| Yes | String | Indicates whether this is a custom role. Set to or for custom roles. Set to or for built-in roles. |
| Yes | String | The description of the custom role. Can include letters, numbers, spaces, and special characters. Maximum number of characters is 2048. |
| Yes | String[] | An array of strings that specifies the control plane actions that the role allows to be performed. For more information, see . |
| No | String[] | An array of strings that specifies the control plane actions that are excluded from the allowed . For more information, see . |
| No | String[] | An array of strings that specifies the data plane actions that the role allows to be performed to your data within that object. If you create a custom role with , that role can't be assigned at management group scope. For more information, see . |
| No | String[] | An array of strings that specifies the data plane actions that are excluded from the allowed . For more information, see . |
| Yes | String[] | An array of strings that specifies the scopes that the custom role is available for assignment. Maximum number of is 2,000. For more information, see . |
Permission strings are case-insensitive. When you create your custom roles, the convention is to match the case that you see for permissions in Azure resource provider operations .
Wildcard permissions
Actions , NotActions , DataActions , and NotDataActions support wildcards ( * ) to define permissions. A wildcard ( * ) extends a permission to everything that matches the action string you provide. For example, suppose that you wanted to add all the permissions related to Azure Cost Management and exports. You could add all of these action strings:
Instead of adding all of these strings, you could just add a wildcard string. For example, the following wildcard string is equivalent to the previous five strings. This would also include any future export permissions that might be added.
It's recommended that you specify Actions and DataActions explicitly instead of using the wildcard ( * ) character. The additional access and permissions granted through future Actions or DataActions may be unwanted behavior using the wildcard.
Who can create, delete, update, or view a custom role
Just like built-in roles, the AssignableScopes property specifies the scopes that the role is available for assignment. The AssignableScopes property for a custom role also controls who can create, delete, update, or view the custom role.
Task | Action | Description |
---|---|---|
Create/delete a custom role | Users that are granted this action on all the of the custom role can create (or delete) custom roles for use in those scopes. For example, and of management groups, subscriptions, and resource groups. | |
Update a custom role | Users that are granted this action on all the of the custom role can update custom roles in those scopes. For example, and of management groups, subscriptions, and resource groups. | |
View a custom role | Users that are granted this action at a scope can view the custom roles that are available for assignment at that scope. All built-in roles allow custom roles to be available for assignment. |
Even if a role is renamed, the role ID does not change. If you are using scripts or automation to create your role assignments, it's a best practice to use the unique role ID instead of the role name. Therefore, if a role is renamed, your scripts are more likely to work.
Find role assignments to delete a custom role
Before you can delete a custom role, you must remove any role assignments that use the custom role. If you try to delete a custom role with role assignments, you get the message: There are existing role assignments referencing role (code: RoleDefinitionHasAssignments) .
Here are steps to help find the role assignments before deleting a custom role:
- List the custom role definition .
- In the AssignableScopes section, get the management groups, subscriptions, and resource groups.
- Iterate over the AssignableScopes and list the role assignments .
- Remove the role assignments that use the custom role.
- If you are using Microsoft Entra Privileged Identity Management , remove eligible custom role assignments.
- Delete the custom role .
For information about how to find unused custom roles, see Symptom - No more role definitions can be created .
Custom role limits
The following list describes the limits for custom roles.
- Each tenant can have up to 5000 custom roles.
- Microsoft Azure operated by 21Vianet can have up to 2000 custom roles for each tenant.
- You cannot set AssignableScopes to the root scope ( "/" ).
- You cannot use wildcards ( * ) in AssignableScopes . This wildcard restriction helps ensure a user can't potentially obtain access to a scope by updating the role definition.
- You can have only one wildcard in an action string.
- You can define only one management group in AssignableScopes of a custom role.
- Azure Resource Manager doesn't validate the management group's existence in the role definition's AssignableScopes .
- Custom roles with DataActions can't be assigned at the management group scope.
- You can create a custom role with DataActions and one management group in AssignableScopes . You can't assign the custom role at the management group scope itself; however, you can assign the custom role at the scope of the subscriptions within the management group. This can be helpful if you need to create a single custom role with DataActions that needs to be assigned in multiple subscriptions, instead of creating a separate custom role for each subscription.
For more information about custom roles and management groups, see What are Azure management groups? .
Input and output formats
To create a custom role using the command line, you typically use JSON to specify the properties you want for the custom role. Depending on the tools you use, the input and output formats will look slightly different. This section lists the input and output formats depending on the tool.
Azure PowerShell
To create a custom role using Azure PowerShell, you must provide following input.
To update a custom role using Azure PowerShell, you must provide the following input. Note that the Id property has been added.
The following shows an example of the output when you list a custom role using Azure PowerShell and the ConvertTo-Json command.
To create or update a custom role using Azure CLI, you must provide following input. This format is the same format when you create a custom role using Azure PowerShell.
The following shows an example of the output when you list a custom role using Azure CLI.
To create or update a custom role using the REST API, you must provide following input. This format is the same format that gets generated when you create a custom role using the Azure portal.
The following shows an example of the output when you list a custom role using the REST API.
- Tutorial: Create an Azure custom role using Azure PowerShell
- Tutorial: Create an Azure custom role using Azure CLI
- Understand Azure role definitions
- Troubleshoot Azure RBAC
Was this page helpful?
Additional resources
Navigation Menu
Search code, repositories, users, issues, pull requests..., provide feedback.
We read every piece of feedback, and take your input very seriously.
Saved searches
Use saved searches to filter your results more quickly.
To see all available qualifiers, see our documentation .
- Notifications You must be signed in to change notification settings
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
az role assignment create: IndexError: list index out of range #21336
sycao5 commented Feb 17, 2022
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information. |
The text was updated successfully, but these errors were encountered: |
yonzhan commented Feb 17, 2022
for awareness |
Sorry, something went wrong.
jiasli commented Feb 18, 2022
2.7.0 is very old. Please install the latest version and see it the issue is solved: |
No branches or pull requests
- Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
- Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
- OverflowAI GenAI features for Teams
- OverflowAPI Train & fine-tune LLMs
- Labs The future of collective knowledge sharing
- About the company Visit the blog
Collectives™ on Stack Overflow
Find centralized, trusted content and collaborate around the technologies you use most.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Get early access and see previews of new features.
Azure cli -az role assignment
Im trying to assign the Databricks access connector to storahe account as the storage blob data contributor using this script
But it does not work! I tried to debug by getting the outputs one by one. first out put of $accessConnector variable is successful I can see the detailed data, including the IdentityPrincipalId but then second output $accessConnectorObjectId of this ariable is empty. I can get it therefore it results in error
Access Connector Object ID: ERROR: argument --assignee: expected one argument
How can I fix this?
- azure-resource-manager
- if you run (Get-AzDatabricksAccessConnector -ResourceGroupName $rgName -Name $acName).Identity.PrincipalId.Count using the correct values for $rgName and $acName what do you get? – Santiago Squarzon Commented May 7 at 18:56
- within the function or seperatly? – Greencolor Commented May 7 at 19:03
- separately, cause the error implies that either $accessConnectorObjectId is null or has more than 1 value – Santiago Squarzon Commented May 7 at 19:04
- 1 ahhh i think i know where your issue is :P you're using Identity.PrincipalId in your code and the actual property name should be IdentityPrincipalId (no dots, no nested property) its a typo ;) – Santiago Squarzon Commented May 7 at 19:36
- 1 please provide the answer, you are right haha – Greencolor Commented May 7 at 19:50
The issue is caused by a typo in $accessConnector.Identity.PrincipalId , looking at Outputs from the Get-AzDatabricksAccessConnector documentation we can see that the cmdlet outputs an object implementing the IAccessConnector Interface and, if we look at the properties that for that interface we can see that the property name is .IdentityPrincipalId instead of .Identity.PrincipalId (a nested object with property .PrincipalId under .Identity basically). So you were actually getting null for referencing a member that doesn't exist in your object and in consequence that error from the az CLI.
So, the fix of the issue:
Aside from that, I'd recommend you to use New-AzRoleAssignment here, it would have given you a much better error message that would've helped debugging this problem much faster:
Your Answer
Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more
Sign up or log in
Post as a guest.
Required, but never shown
By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .
Not the answer you're looking for? Browse other questions tagged azure powershell azure-resource-manager azure-cli or ask your own question .
- The Overflow Blog
- The hidden cost of speed
- The creator of Jenkins discusses CI/CD and balancing business with open source
- Featured on Meta
- Announcing a change to the data-dump process
- Bringing clarity to status tag usage on meta sites
- What does a new user need in a homepage experience on Stack Overflow?
- Feedback requested: How do you use tag hover descriptions for curating and do...
- Staging Ground Reviewer Motivation
Hot Network Questions
- Why didn't Air Force Ones have camouflage?
- Is it a good idea to perform I2C Communication in the ISR?
- What does "Two rolls" quote really mean?
- Is it helpful to use a thicker gage wire for part of a long circuit run that could have higher loads?
- Environment for verbatim boxes
- Can you equip or unequip a weapon before or after a Bonus Action?
- An error in formula proposed by Riley et al to calculate the sample size
- Does the average income in the US drop by $9,500 if you exclude the ten richest Americans?
- Largest number possible with +, -, ÷
- How to clean a female disconnect connector
- Is a stable quantifier-free language really possible?
- Text wrapping in longtable not working
- Why does the church of latter day saints not recognize the obvious sin of the angel Moroni according to the account of Joseph Smith's own words?
- How can I play MechWarrior 2?
- Pull up resistor question
- Where is this railroad track as seen in Rocky II during the training montage?
- Can reinforcement learning rewards be a combination of current and new state?
- Why does this theta function value yield such a good Riemann sum approximation?
- how did the Apollo 11 know its precise gyroscopic position?
- How rich is the richest person in a society satisfying the Pareto principle?
- How should I tell my manager that he could delay my retirement with a raise?
- Star Trek: The Next Generation episode that talks about life and death
- Is my magic enough to keep a person without skin alive for a month?
- Book about a wormhole found inside the Moon
IMAGES
VIDEO
COMMENTS
Assign Azure roles using Azure CLI - Azure RBAC
Name Description Type Status; az role assignment create: Create a new role assignment for a user, group, or service principal. Core GA az role assignment delete
To list a custom role definition, use az role definition list. This command is the same command you would use for a built-in role. Azure CLI. Copy. az role definition list --name {roleName} The following example lists the Virtual Machine Operator role definition: Azure CLI. Copy.
The Initial Attempt. We create a new AzDO yaml pipeline to do the following: Use the Azure CLI task; Use the Service Connection created above; Use an incline script to perform the required role ...
An Azure role assignment condition is an additional check that you can optionally add to your role assignment to provide more fine-grained access control. For example, you can add a condition that requires an object to have a specific tag to read the object.
The Azure-CLI command documentation can be found here. az role definition create --role-definition vm-restart.json . Once the role has been create you can use the following command to assign it to a group or user(s) az role assignment create --role "Restart Virtual Machines" --assignee [email protected] or assign it using the portal.
I currently create a service principal using the Azure CLI: az ad sp create-for-rbac --name foo --role Contributor. I need the service principal to have enough permissions to create/modify/delete various Azure AD resources including Applications, other Service Principals and Service Principal Passwords.
Step 2: Assign Roles to Users or Groups. Identify users or groups by their identifiers and associate roles: Replace <User or Group ID> with the actual Object IDs of users or the Microsoft Entra ID ...
This is autogenerated. Please review and update as needed. Describe the bug I'm following the Azure container Apps doc to Create a service principal and store credential. Command Name az ad sp create-for-rbac az ad sp create-for-rbac \ -...
To list the role assignments for a specific user, use az role assignment list: Azure CLI. Copy. az role assignment list --assignee {assignee} By default, only role assignments for the current subscription will be displayed. To view role assignments for the current subscription and below, add the --all parameter.
Here are the steps for making these changes with the Azure CLI. Adding a Role to a User. To assign a role to a user in Azure, you can use the "az role assignment create" command. You have to specify three components, the assignee, the role, and the resource groups or scope of access. In the following example, we're assigning Reader access ...
Here are a bunch of ways you can find which roles are built into Azure. This will come in super handy when you need to assign a role to a service principal or user with Azure CLI commands like this: az role assignment create --assignee 3db3ad97-06be-4c28-aa96-f1bac93aeed3 --role "Azure Maps Data Reader" Azure CLI. Query the big honking json
In this article. An Azure role assignment condition is an additional check that you can optionally add to your role assignment to provide more fine-grained access control. For example, you can add a condition that requires an object to have a specific tag to read the object. This article describes how to add, edit, list, or delete conditions for your role assignments using Azure CLI.
This command queries the user's currently active Entra ID roles, therefore including all statically assigned roles (in addition to roles currently enabled via PIM). The command already respects roles that come via role assignable groups. We add two additional properties to make the output more digestable.
In this article. If the Azure built-in roles don't meet the specific needs of your organization, you can create your own custom roles. For this tutorial, you create a custom role named Reader Support Tickets using Azure CLI. The custom role allows the user to view everything in the control plane of a subscription and also open support tickets.
To Reproduce: Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information. The az rest commands have been ran on both WSL Ubuntu and native PowerShell.; Doesn't work:
How can I grant roleAssignement/write permission to azure ...
Steps to create a custom role. Here are the basic steps to create a custom role. Determine the permissions you need. When you create a custom role, you need to know the actions that are available to define your permissions. Typically, you start with an existing built-in role and then modify it for your needs.
The Global admin is an Administrator role in Azure AD, and the Owner is an RBAC role in the subscription. They are different things. When you use the azure cli like below to create the role assignment, it adds the service principal joytestsp as an Owner to the storage account. The service principal which you login needs to call the AAD Graph to ...
This is autogenerated. Please review and update as needed. Describe the bug Command Name az role assignment create Errors: list index out of range Traceback (most recent call last): cli\command_modules\role\custom.py, ln 142, in create_r...
Azure cli -az role assignment. Ask Question Asked 3 months ago. Modified 3 months ago. ... Can I create an Azure role assignment with wild card access? 0. Some question of "Cloud endpoint creation failed" 0. Azure ARM Rest API for monitoring Azure Storage Account? Hot Network Questions