List Azure role assignments using the Azure portal

Azure role-based access control (RBAC) is the authorization system you use to manage access to Azure resources. To determine what resources users, groups, service principals, or managed identities have access to, you list their role assignments. This article describes how to list role assignments using the Azure portal.

Note

If your organization has outsourced management functions to a service provider who uses Azure delegated resource management, role assignments authorized by that service provider won't be shown here.

List role assignments for a user or group

The easiest way to see the roles assigned to a user or group in a subscription is to use the Azure role assignments pane.

  1. In the Azure portal, select All services from the Azure portal menu.

  2. Select Azure Active Directory and then select Users or Groups.

  3. Click the user or group you want list the role assignments for.

  4. Click Azure role assignments.

    You see a list of roles assigned to the selected user or group at various scopes such as management group, subscription, resource group, or resource. This list includes all role assignments you have permission to read.

    Role assignments for a user

  5. To change the subscription, click the Subscriptions list.

List owners of a subscription

Users that have been assigned the Owner role for a subscription can manage everything in the subscription. Follow these steps to list the owners of a subscription.

  1. In the Azure portal, click All services and then Subscriptions.

  2. Click the subscription you want to list the owners of.

  3. Click Access control (IAM).

  4. Click the Role assignments tab to view all the role assignments for this subscription.

  5. Scroll to the Owners section to see all the users that have been assigned the Owner role for this subscription.

    Subscription Access control - Role assignments tab

List role assignments at a scope

  1. In the Azure portal, click All services and then select the scope. For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  2. Click the specific resource.

  3. Click Access control (IAM).

  4. Click the Role assignments tab to view all the role assignments at this scope.

    Access control - Role assignments tab

    On the Role assignments tab, you can see who has access at this scope. Notice that some roles are scoped to This resource while others are (Inherited) from another scope. Access is either assigned specifically to this resource or inherited from an assignment to the parent scope.

List role assignments for a user at a scope

To list access for a user, group, service principal, or managed identity, you list their role assignments. Follow these steps to list the role assignments for a single user, group, service principal, or managed identity at a particular scope.

  1. In the Azure portal, click All services and then select the scope. For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  2. Click the specific resource.

  3. Click Access control (IAM).

  4. Click the Check access tab.

    Access control - Check access tab

  5. In the Find list, select the type of security principal you want to check access for.

  6. In the search box, enter a string to search the directory for display names, email addresses, or object identifiers.

    Check access select list

  7. Click the security principal to open the assignments pane.

    assignments pane

    On this pane, you can see the roles assigned to the selected security principal and the scope. If there are any deny assignments at this scope or inherited to this scope, they will be listed.

List role assignments for a managed identity

You can list role assignments for system-assigned and user-assigned managed identities at a particular scope by using the Access control (IAM) blade as described earlier. This section describes how to list role assignments for just the managed identity.

System-assigned managed identity

  1. In the Azure portal, open a system-assigned managed identity.

  2. In the left menu, click Identity.

    System-assigned managed identity

  3. Under Permissions, click Azure role assignments.

    You see a list of roles assigned to the selected system-assigned managed identity at various scopes such as management group, subscription, resource group, or resource. This list includes all role assignments you have permission to read.

    Role assignments for a system-assigned managed identity

  4. To change the subscription, click the Subscription list.

User-assigned managed identity

  1. In the Azure portal, open a user-assigned managed identity.

  2. Click Azure role assignments.

    You see a list of roles assigned to the selected user-assigned managed identity at various scopes such as management group, subscription, resource group, or resource. This list includes all role assignments you have permission to read.

    Role assignments for a system-assigned managed identity

  3. To change the subscription, click the Subscription list.

List number of role assignments

You can have up to 2000 role assignments in each subscription. This limit includes role assignments at the subscription, resource group, and resource scopes. To help you keep track of this limit, the Role assignments tab includes a chart that lists the number of role assignments for the current subscription.

Access control - Number of role assignments chart

If you are getting close to the maximum number and you try to add more role assignments, you'll see a warning in the Add role assignment pane. For ways that you can reduce the number of role assignments, see Troubleshoot Azure RBAC.

Access control - Add role assignment warning

Download role assignments (Preview)

You can download role assignments at a scope in CSV or JSON formats. This can be helpful if you need to inspect the list in a spreadsheet or take an inventory when migrating a subscription.

Important

Download role assignments is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

When you download role assignments, you should keep in mind the following criteria:

  • If you don't have permissions to read the directory, such as the Directory Readers role, the DisplayName, SignInName, and ObjectType columns will be blank.
  • Role assignments whose security principal has been deleted are not included.
  • Access granted to classic administrators are not included.

Follow these steps to download role assignments at a scope.

  1. In the Azure portal, click All services and then select the scope where you want to download the role assignments. For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  2. Click the specific resource.

  3. Click Access control (IAM).

  4. Click Download role assignments (preview) to open the Download role assignments pane.

    Access control - Download role assignments

  5. Use the check boxes to select the role assignments you want to include in the downloaded file.

    • Inherited - Include inherited role assignments for the current scope.
    • At current scope - Include role assignments for the current scope.
    • Children - Include role assignments at levels below the current scope. This check box is disabled for management group scope.
  6. Select the file format, which can be comma-separated values (CSV) or JavaScript Object Notation (JSON).

  7. Specify the file name.

  8. Click Start to start the download.

    The following show examples of the output for each file format.

    Download role assignments as CSV

    Download role assignments as CSV

Next steps