az role assignment

Manage role assignments.

Commands

az role assignment create Create a new role assignment for a user, group, or service principal.
az role assignment delete Delete role assignments.
az role assignment list List role assignments.
az role assignment list-changelogs List changelogs for role assignments.

az role assignment create

Create a new role assignment for a user, group, or service principal.

az role assignment create --role
[--assignee]
[--assignee-object-id]
[--resource-group]
[--scope]
[--subscription]

Examples

Create role assignment for an assignee.

az role assignment create --assignee sp_name --role a_role

Required Parameters

--role

Role name or id.

Optional Parameters

--assignee

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--assignee-object-id

Assignee's graph object id, such as the 'principal id' from a managed service identity. Use this instead of '--assignee' to bypass graph permission issues.

--resource-group -g

Use it only if the role or assignment was added at the level of a resource group.

--scope

Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az role assignment delete

Delete role assignments.

az role assignment delete [--assignee]
[--ids]
[--include-inherited]
[--resource-group]
[--role]
[--scope]
[--subscription]

Optional Parameters

--assignee

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--ids

Space-separated role assignment ids.

--include-inherited

Include assignments applied on parent scopes.

--resource-group -g

Use it only if the role or assignment was added at the level of a resource group.

--role

Role name or id.

--scope

Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az role assignment list

List role assignments.

az role assignment list [--all]
[--assignee]
[--include-classic-administrators {false, true}]
[--include-groups]
[--include-inherited]
[--resource-group]
[--role]
[--scope]
[--subscription]

Optional Parameters

--all

Show all assignments under the current subscription.

--assignee

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--include-classic-administrators

List default role assignments for subscription classic administrators, aka co-admins.

accepted values: false, true
--include-groups

Include extra assignments to the groups of which the user is a member(transitively).

--include-inherited

Include assignments applied on parent scopes.

--resource-group -g

Use it only if the role or assignment was added at the level of a resource group.

--role

Role name or id.

--scope

Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az role assignment list-changelogs

List changelogs for role assignments.

az role assignment list-changelogs [--end-time]
[--start-time]
[--subscription]

Optional Parameters

--end-time

The end time of the query in the format of %Y-%m-%dT%H:%M:%SZ, e.g. 2000-12-31T12:59:59Z. Defaults to the current time.

--start-time

The start time of the query in the format of %Y-%m-%dT%H:%M:%SZ, e.g. 2000-12-31T12:59:59Z. Defaults to 1 Hour prior to the current time.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.