Use role assignments to manage access to your Azure subscription resources

2 min to read Contributors

Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can grant only the amount of access that users need to perform their jobs. This article helps you get up and running with RBAC in the Azure portal. If you want more details about how RBAC helps you manage access, see What is Role-Based Access Control.

View access

You can see who has access to a resource, resource group, or subscription from its main blade in the Azure portal. For example, we want to see who has access to one of our resource groups:

  1. Select Resource groups in the navigation bar on the left.
    Resource groups - icon
  2. Select the name of the resource group from the Resource groups blade.
  3. Select Access control (IAM) from the left menu.
  4. The Access control blade lists all users, groups, and applications that have been granted access to the resource group.

    Users blade - inherited vs assigned access screenshot

Notice that some users were Assigned access while others Inherited it. Access is either assigned specifically to the resource group or inherited from an assignment to the parent subscription.

Note

Classic subscription admins and co-admins are considered owners of the subscription in the new RBAC model.

Add Access

You grant access from within the resource, resource group, or subscription that is the scope of the role assignment.

  1. Select Add on the Access control blade.
  2. Select the role that you wish to assign from the Select a role blade.
  3. Select the user, group, or application in your directory that you wish to grant access to. You can search the directory with display names, email addresses, and object identifiers.

    Add users blade - search screenshot

  4. Select OK to create the assignment. The Adding user popup tracks the progress.
    Adding user progress bar - screenshot

After successfully adding a role assignment, it will appear on the Users blade.

Remove Access

  1. Select the role assignment on the Access control blade.
  2. Select Remove in the assignment details blade.
  3. Select yes to confirm removal.
    Users blade - remove from role screenshot

Inherited assignments cannot be removed. Notice in the image below that the remove button is grayed out. Instead, look at the Assigned At detail. Go to the resource listed there to remove the role assignment.

Users blade - inherited access disables remove button screenshot

Other tools to manage access

You can assign roles and manage access with Azure RBAC commands in tools other than the Azure portal. Follow the links to learn more about the prerequisites and get started with the Azure RBAC commands.

Next Steps