az role assignment

Manage role assignments.

Commands

az role assignment create Create a new role assignment for a user, group, or service principal.
az role assignment delete Delete role assignments.
az role assignment list List role assignments.
az role assignment list-changelogs List changelogs for role assignments.

az role assignment create

Create a new role assignment for a user, group, or service principal.

az role assignment create --role
[--assignee]
[--assignee-object-id]
[--resource-group]
[--scope]
[--subscription]

Examples

Create role assignment for an assignee.

az role assignment create --assignee sp_name --role a_role

Required Parameters

--role

Role name or id.

Optional Parameters

--assignee

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--assignee-object-id

Use this parameter instead of '--assignee' to bypass graph permission issues. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.

--resource-group -g

Use it only if the role or assignment was added at the level of a resource group.

--scope

Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az role assignment delete

Delete role assignments.

az role assignment delete [--assignee]
[--ids]
[--include-inherited]
[--resource-group]
[--role]
[--scope]
[--subscription]
[--yes]

Examples

Delete role assignments. (autogenerated)

az role assignment delete --assignee 00000000-0000-0000-0000-000000000000 --role "Storage Account Key Operator Service Role"

Optional Parameters

--assignee

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--ids

Space-separated role assignment ids.

--include-inherited

Include assignments applied on parent scopes.

--resource-group -g

Use it only if the role or assignment was added at the level of a resource group.

--role

Role name or id.

--scope

Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--yes -y

Continue to delete all assignments under the subscription.

az role assignment list

List role assignments.

az role assignment list [--all]
[--assignee]
[--include-classic-administrators {false, true}]
[--include-groups]
[--include-inherited]
[--resource-group]
[--role]
[--scope]
[--subscription]

Optional Parameters

--all

Show all assignments under the current subscription.

--assignee

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--include-classic-administrators

List default role assignments for subscription classic administrators, aka co-admins.

accepted values: false, true
--include-groups

Include extra assignments to the groups of which the user is a member(transitively).

--include-inherited

Include assignments applied on parent scopes.

--resource-group -g

Use it only if the role or assignment was added at the level of a resource group.

--role

Role name or id.

--scope

Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az role assignment list-changelogs

List changelogs for role assignments.

az role assignment list-changelogs [--end-time]
[--start-time]
[--subscription]

Optional Parameters

--end-time

The end time of the query in the format of %Y-%m-%dT%H:%M:%SZ, e.g. 2000-12-31T12:59:59Z. Defaults to the current time.

--start-time

The start time of the query in the format of %Y-%m-%dT%H:%M:%SZ, e.g. 2000-12-31T12:59:59Z. Defaults to 1 Hour prior to the current time.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.