Assign Azure roles using the Azure portal
Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using the Azure portal.
If you need to assign administrator roles in Azure Active Directory, see Assign Azure AD roles to users.
To assign Azure roles, you must have:
Microsoft.Authorization/roleAssignments/writepermissions, such as User Access Administrator or Owner
Step 1: Identify the needed scope
When you assign roles, you must specify a scope. Scope is the set of resources the access applies to. In Azure, you can specify a scope at four levels from broad to narrow: management group, subscription, resource group, and resource. For more information, see Understand scope.
Sign in to the Azure portal.
In the Search box at the top, search for the scope you want to grant access to. For example, search for Management groups, Subscriptions, Resource groups, or a specific resource.
Click the specific resource for that scope.
The following shows an example resource group.
Step 2: Open the Add role assignment page
Access control (IAM) is the page that you typically use to assign roles to grant access to Azure resources. It's also known as identity and access management (IAM) and appears in several locations in the Azure portal.
Click Access control (IAM).
The following shows an example of the Access control (IAM) page for a resource group.
Click the Role assignments tab to view the role assignments at this scope.
Click Add > Add role assignment.
If you don't have permissions to assign roles, the Add role assignment option will be disabled.
The Add role assignment page opens.
Step 3: Select the appropriate role
On the Roles tab, select a role that you want to use.
You can search for a role by name or by description. You can also filter roles by type and category.
In the Details column, click View to get more details about a role.
Step 4: Select who needs access
On the Members tab, select User, group, or service principal to assign the selected role to one or more Azure AD users, groups, or service principals (applications).
Click Select members.
Find and select the users, groups, or service principals.
You can type in the Select box to search the directory for display name or email address.
Click Select to add the users, groups, or service principals to the Members list.
To assign the selected role to one or more managed identities, select Managed identity.
Click Select members.
Find and select the managed identities.
For system-assigned managed identities, you can select managed identities by Azure service instance.
Click Select to add the managed identities to the Members list.
In the Description box enter an optional description for this role assignment.
Later you can show this description in the role assignments list.
Step 5: (Optional) Add condition (preview)
If you selected a role that supports conditions, a Conditions (optional) tab will appear and you have the option to add a condition to your role assignment. A condition is an additional check that you can optionally add to your role assignment to provide more fine-grained access control.
Currently, conditions can be added to built-in or custom role assignments that have storage blob data actions. These include the following built-in roles:
Click Add condition if you want to further refine the role assignments based on storage blob attributes. For more information, see Add or edit Azure role assignment conditions.
Step 6: Assign role
On the Review + assign tab, review the role assignment settings.
Click Review + assign to assign the role.
After a few moments, the security principal is assigned the role at the selected scope.
If you don't see the description for the role assignment, click Edit columns to add the Description column.
Submit and view feedback for