Microsoft.Authorization roleAssignments
The roleAssignments resource type is an extension resource, which means you can apply it to another resource.
Use the scope property on this resource to set the scope for this resource.
- For Bicep, see Set scope on extension resources in Bicep.
- For JSON, see Set scope on extension resources in ARM templates.
Valid deployment scopes for the roleAssignments resource are:
- Tenant
- Management Group
- Subscription
- Resource Group
For a list of changed properties in each API version, see change log.
Remarks
For guidance on creating role assignments and definitions, see Create Azure RBAC resources by using Bicep.
Template format
To create a Microsoft.Authorization/roleAssignments resource, add the following Bicep or JSON to your template.
resource symbolicname 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
name: 'string'
scope: resourceSymbolicName or tenant()
properties: {
condition: 'string'
conditionVersion: 'string'
delegatedManagedIdentityResourceId: 'string'
description: 'string'
principalId: 'string'
principalType: 'string'
roleDefinitionId: 'string'
}
}
Property values
roleAssignments
| Name | Description | Value |
|---|---|---|
| type | The resource type For Bicep, set this value in the resource declaration. |
'Microsoft.Authorization/roleAssignments' |
| apiVersion | The resource api version For Bicep, set this value in the resource declaration. |
'2020-10-01-preview' |
| name | The resource name | string (required) Character limit: 36 Valid characters: Must be a globally unique identifier (GUID). Resource name must be unique across tenant. |
| scope | Use when creating an extension resource at a scope that is different than the deployment scope. | Target resource For Bicep, set this property to the symbolic name of the resource to apply the extension resource. For JSON, set the value to the full name of the resource to apply the extension resource to. This resource type can also be applied to a tenant. For Bicep, use tenant().For JSON, use "/". |
| properties | Role assignment properties. | RoleAssignmentProperties (required) |
RoleAssignmentProperties
| Name | Description | Value |
|---|---|---|
| condition | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container' | string |
| conditionVersion | Version of the condition. Currently accepted value is '2.0' | string |
| delegatedManagedIdentityResourceId | Id of the delegated managed identity resource | string |
| description | Description of role assignment | string |
| principalId | The principal ID. | string (required) |
| principalType | The principal type of the assigned principal ID. | 'Device' 'ForeignGroup' 'Group' 'ServicePrincipal' 'User' |
| roleDefinitionId | The role definition ID. | string (required) |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Hazelcast Cluster |
Hazelcast is an in-memory data platform that can be used for a variety of data applications. This template will deploy any number of Hazelcast nodes and they will automatically discover each other. |
| IBM Cloud Pak for Data on Azure |
This template deploys an Openshift cluster on Azure with all the required resources, infrastructure and then deploys IBM Cloud Pak for Data along with the add-ons that user chooses. |
| min.io Azure Gateway |
Fully private min.io Azure Gateway deployment to provide an S3 compliant storage API backed by blob storage |
| Deploy a Storage Account for SAP ILM Store |
The Microsoft Azure Storage Account can now be used as a ILM Store to persist the Archive files and attachments from an SAP ILM system. An ILM Store is a component which fulfills the requirements of SAP ILM compliant storage systems. One can store archive files in a storage media using WebDAV interface standards while making use of SAP ILM Retention Management rules. For more information about SAP ILM Store, refer to the SAP Help Portal . |
| Create a WordPress site |
This template creates a WordPress site on Container Instance |
| AKS Cluster with a NAT Gateway and an Application Gateway |
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
| Azure Cloud Shell - VNet |
This template deploys Azure Cloud Shell resources into an Azure virtual network. |
| Azure Image Builder with Azure Windows Baseline. |
Creates an Azure Image Builder environment and builds a Windows Server image with the latest Windows Updates and Azure Windows Baseline applied. |
| Create a Private AKS Cluster with a Public DNS Zone |
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone. |
| Import VHD Blobs from a ZIP Archive URL |
Deploying Virtual Machines based on specialized disk images requires to import VHD files into a Storage Account. In the case there are multiple VHD files compressed in a single ZIP and you got the URL to fetch the ZIP archive, this ARM template will ease the job: Download, Extract and Import into an existing Storage Account Blob Container. |
| Create a user-assigned managed identity and role assignment |
This module allows you to create a user-assigned managed identity and a role assignment scoped to the resource group. |
| Create an API Management service with SSL from KeyVault |
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours. |
| RBAC - Grant Built In Role Access for multiple existing VMs in a Resource Group |
This template grants applicable role based access to multiple existing VMs in a Resource Group |
| Assign an RBAC role to a Resource Group |
This template assigns Owner, Reader or Contributor access to an existing resource group. |
| RBAC - Existing VM |
This template grants applicable role based access to an existing VM in a Resource Group |
| RBAC - Create Managed Identity Access on Azure Maps account |
This template creates a Managed Identity and assigns it access to an a created Azure Maps account. |
| Front Door Standard/Premium with static website origin |
This template creates a Front Door Standard/Premium and an Azure Storage static website, and configured Front Door to send traffic to the static website. |
| Terraform on Azure |
This template allows you to deploy a Terraform workstation as a Linux VM with MSI. |
| Create an on-demand SFTP Server with persistent storage |
This template demonstrates an on-demand SFTP server using an Azure Container Instance (ACI). |
| Create Disk & enable protection via Backup Vault |
Template that creates a disk and enables protection via Backup Vault |
| Create Storage Account & enable protection via Backup Vault |
Template that creates storage account and enable protection via Backup Vault |
| Create a data share from a storage account |
This template creates a data share from a storage account |
| Azure Digital Twins with Function and Private Link service |
This template creates an Azure Digital Twins service configured with a Virtual Network connected Azure Function that can communicate through a Private Link Endpoint to Digital Twins. It also creates a Private DNS Zone to allow seamless hostname resolution of the Digital Twins Endpoint from the Virtual Network to the Private Endpoint internal subnet IP address. The hostname is stored as a setting to the Azure Function with name 'ADT_ENDPOINT'. |
| Create an Azure Key Vault with RBAC and a secret |
This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets |
| Deploy Azure Data Explorer db with Event Hub connection. |
Deploy Azure Data Explorer db with Event Hub connection. |
| User assigned identity role assignment template |
A template that creates role assignments of user assigned identity on resources that Azure Machine Learning workspace depends on |
| Create Azure Maps SAS token stored in an Azure Key Vault |
This template deploys and Azure Maps account and lists a Sas token based on the provided User Assigned identity to be stored in an Azure Key Vault secret. |
| AKS cluster with the Application Gateway Ingress Controller |
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
| Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology |
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
| Import Container Images into ACR |
This template leverages the Import ACR module from the bicep registry to import public container images into an Azure Container Registry. |
| Create ssh-keys and store in KeyVault |
This template uses the deploymentScript resource to generate ssh keys and stores the private key in keyVault. |
| Azure SQL Server with Auditing written to a blob storage |
This template allows you to deploy an Azure SQL server with Auditing enabled to write audit logs to a blob storage |
| SQL logical server. |
This template allows you to create SQL logical server. |
| Deploys a static website |
Deploys a static website with a backing storage account |
| Azure Synapse Proof-of-Concept |
This template creates a proof of concept environment for Azure Synapse, including SQL Pools and optional Apache Spark Pools |
| Web App with Managed Identity, SQL Server and ΑΙ |
Simple example to deploy Azure infrastructure for app + data + managed identity + monitoring |
| Create a resourceGroup, apply a lock and RBAC |
This template is a subscription level template that will create a resourceGroup, apply a lock the the resourceGroup and assign contributor permssions to the supplied principalId. Currently, this template cannot be deployed via the Azure Portal. |
| Assign a role at subscription scope |
This template is a subscription level template that will assign a role at subscription scope. |
| Assign a role at tenant scope |
This template is a tenant level template that will assign a role to the provided principal at the tenant scope. The user deploying the template must already have the Owner role assigned at the tenant scope. |