Manage access using RBAC and the Azure portal

Role-based access control (RBAC) is the way that you manage access to resources in Azure. This article describes how you manage access for users, groups, and applications using RBAC and the Azure portal.

List roles

A role definition is a collection of permissions that you use for role assignments. Azure has over 60 built-in roles.

  1. In the Azure portal, choose All services and then Subscriptions.

  2. Choose your subscription.

  3. Choose Access control (IAM).

    Roles option

  4. Choose Roles to see a list of all the built-in and custom roles.

    Roles option

    You can see the number of users and groups that are assigned to each role.

    Roles list

List access

When managing access, you want to know who has access, what are their permissions, and at what level. To list access, you list the role assignments.

List role assignments for a subscription

  1. In the Azure portal, choose All services and then Subscriptions.

  2. Choose your subscription.

  3. Choose Access control (IAM).

    On the Access control (IAM) blade, also known as identity and access management, you can see who has access to this subscription and their role.

    Access control (IAM) blade

    Classic subscription administrators and co-administrators are considered owners of the subscription in the RBAC model.

List role assignments for a resource group

  1. In the navigation list, choose Resource groups.

  2. Choose a resource group and then choose Access control (IAM).

    On the Access control (IAM) blade, you can see who has access to this resource group. Notice that some roles are scoped to This resource while others are (Inherited) from another scope. Access is either assigned specifically to the resource group or inherited from an assignment to the parent subscription.

    Resource groups

List role assignments for a user

  1. In the navigation list, choose Azure Active Directory.

  2. Choose Users to open All users.

    Azure Active Directory All users blade

  3. Choose an individual user in the list.

  4. In the Manage section, choose Azure resources.

    Azure Active Directory user Azure resources

    On the Azure resources blade, you can see the role assignments for the selected user and selected subscription. This list includes only role assignments for resources that you have permission to read. For example, if the user also has role assignments that you cannot read, those role assignments will not appear in the list.

  5. If you have multiple subscriptions, you can choose the Subscription drop-down list to see the role assignments in a different subscription.

Grant access

In RBAC, to grant access, you create a role assignment.

Create a role assignment at a subscription scope

  1. In the Azure portal, choose All services and then Subscriptions.

  2. Choose your subscription.

  3. Choose Access control (IAM) to see the current list of role assignments at the subscription scope.

    Access control (IAM) blade for resource group

  4. Choose Add to open the Add permissions pane.

    If you don't have permissions to assign roles, you won't see the Add option.

    Add permissions pane

  5. In the Role drop-down list, select a role such as Virtual Machine Contributor.

  6. In the Select list, select a user, group, or application. If you don't see the security principal in the list, you can type in the Select box to search the directory for display names, email addresses, and object identifiers.

  7. Choose Save to create the role assignment.

    After a few moments, the security principal is assigned the role at the subscription scope.

Create a role assignment at a resource group scope

  1. In the navigation list, choose Resource groups.

  2. Choose a resource group.

  3. Choose Access control (IAM) to see the current list of role assignments at the resource group scope.

    Access control (IAM) blade for resource group

  4. Choose Add to open the Add permissions pane.

    If you don't have permissions to assign roles, you won't see the Add option.

    Add permissions pane

  5. In the Role drop-down list, select a role such as Virtual Machine Contributor.

  6. In the Select list, select a user, group, or application. If you don't see the security principal in the list, you can type in the Select box to search the directory for display names, email addresses, and object identifiers.

  7. Choose Save to create the role assignment.

    After a few moments, the security principal is assigned the role at the resource group scope.

Remove access

In RBAC, to remove access, you remove a role assignment.

Remove a role assignment

  1. Open the Access control (IAM) blade for the subscription, resource group, or resource that has the role assignment you want to remove.

  2. In the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.

    Remove role assignment message

  3. Choose Remove.

    Remove role assignment message

  4. In the remove role assignment message that appears, choose Yes.

Inherited role assignments cannot be removed. If you need to remove an inherited role assignment, you must do it at the scope where the role assignment was created. In the Scope column, next to Inherited there is a link that takes you to the resources where this role was assigned. Go to the scope listed there to remove the role assignment.

Next steps