Assign Azure roles using the Azure portal
Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using the Azure portal.
If you need to assign administrator roles in Azure Active Directory, see Assign Azure AD roles to users.
To assign Azure roles, you must have:
Microsoft.Authorization/roleAssignments/writepermissions, such as User Access Administrator or Owner
Azure RBAC has a new experience for assigning Azure roles in the Azure portal that is currently in public preview. If you want to try this new experience, follow the steps on the (Preview) tab.
Step 1: Identify the needed scope
When you assign roles, you must specify a scope. Scope is the set of resources the access applies to. In Azure, you can specify a scope at four levels from broad to narrow: management group, subscription, resource group, and resource. For more information, see Understand scope.
Sign in to the Azure portal.
In the Search box at the top, search for the scope you want to grant access to. For example, search for Management groups, Subscriptions, Resource groups, or a specific resource.
Click the specific resource for that scope.
The following shows an example resource group.
Step 2: Open the Add role assignment pane
Access control (IAM) is the page that you typically use to assign roles to grant access to Azure resources. It's also known as identity and access management (IAM) and appears in several locations in the Azure portal.
Click Access control (IAM).
The following shows an example of the Access control (IAM) page for a resource group.
Click the Role assignments tab to view the role assignments at this scope.
Click Add > Add role assignment. If you don't have permissions to assign roles, the Add role assignment option will be disabled.
The Add role assignment pane opens.
Step 3: Select the appropriate role
In the Role list, search or scroll to find the role that you want to assign.
To help you determine the appropriate role, you can hover over the info icon to display a description for the role. For additional information, you can view the Azure built-in roles article.
Click to select the role.
Step 4: Select who needs access
In the Assign access to list, select the type of security principal to assign access to.
Type Description User, group, or service principal If you want to assign the role to a user, group, or service principal (application), select this type. User assigned managed identity If you want to assign the role to a user-assigned managed identity, select this type. System assigned managed identity If you want to assign the role to a system-assigned managed identity, select the Azure service instance where the managed identity is located.
If you selected a user-assigned managed identity or a system-assigned managed identity, select the Subscription where the managed identity is located.
In the Select section, search for the security principal by entering a string or scrolling through the list.
Once you have found the security principal, click to select it.
Step 5: Assign role
To assign the role, click Save.
After a few moments, the security principal is assigned the role at the selected scope.
On the Role assignments tab, verify that you see the role assignment in the list.