Add or remove Azure role assignments using the Azure portal

Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using the Azure portal.

If you need to assign administrator roles in Azure Active Directory, see View and assign administrator roles in Azure Active Directory.

Prerequisites

To add or remove role assignments, you must have:

  • Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions, such as User Access Administrator or Owner

Add a role assignment

In Azure RBAC, to grant access to an Azure resource, you add a role assignment. Follow these steps to assign a role. For a high-level overview of steps, see Steps to add a role assignment.

Step 1: Identify the needed scope

When you assign roles, you must specify a scope. Scope is the set of resources the access applies to. In Azure, you can specify a scope at four levels from broad to narrow: management group, subscription, resource group, and resource.

It's a best practice to grant security principals the least privilege they need to perform their job. Avoid assigning broader roles at broader scopes even if it initially seems more convenient. By limiting roles and scopes, you limit what resources are at risk if the security principal is ever compromised. For more information about scope, see Understand scope.

Scope levels for Azure RBAC

  1. Sign in to the Azure portal.

  2. In the Search box at the top, search for the scope you want to grant access to. For example, search for Management groups, Subscriptions, Resource groups, or a specific resource.

    Azure portal search for resource group

  3. Click the specific resource for that scope.

    The following shows an example resource group.

    Resource group overview

Step 2: Open the Add role assignment pane

Access control (IAM) is the page that you typically use to assign roles to grant access to Azure resources. It's also known as identity and access management (IAM) and appears in several locations in the Azure portal.

  1. Click Access control (IAM).

    The following shows an example of the Access control (IAM) page for a resource group.

    Access control (IAM) page for a resource group

  2. Click the Role assignments tab to view the role assignments at this scope.

  3. Click Add > Add role assignment. If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    Add role assignment menu

    The Add role assignment pane opens.

    Add role assignment pane

Step 3: Select the appropriate role

  1. In the Role list, search or scroll to find the role that you want to assign.

    To help you determine the appropriate role, you can hover over the info icon to display a description for the role. For additional information, you can view the Azure built-in roles article.

    Select role in Add role assignment

  2. Click to select the role.

Step 4: Select who needs access

  1. In the Assign access to list, select the type of security principal to assign access to.

    Type Description
    User, group, or service principal If you want to assign the role to a user, group, or service principal (application), select this type.
    User assigned managed identity If you want to assign the role to a user-assigned managed identity, select this type.
    System assigned managed identity If you want to assign the role to a system-assigned managed identity, select the Azure service instance where the managed identity is located.

    Select security principal type in Add role assignment

  2. If you selected a user-assigned managed identity or a system-assigned managed identity, select the Subscription where the managed identity is located.

  3. In the Select section, search for the security principal by entering a string or scrolling through the list.

    Select user in Add role assignment

  4. Once you have found the security principal, click to select it.

Step 5: Assign role

  1. To assign the role, click Save.

    After a few moments, the security principal is assigned the role at the selected scope.

  2. On the Role assignments tab, verify that you see the role assignment in the list.

    Add role assignment saved

Remove a role assignment

In Azure RBAC, to remove access from an Azure resource, you remove a role assignment. Follow these steps to remove a role assignment.

  1. Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.

  2. Click the Role assignments tab to view all the role assignments at this scope.

  3. In the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.

    Role assignment selected to be removed

  4. Click Remove.

    Remove role assignment message

  5. In the remove role assignment message that appears, click Yes.

    If you see a message that inherited role assignments cannot be removed, you are trying to remove a role assignment at a child scope. You should open Access control (IAM) at the scope where the role was assigned and try again. A quick way to open Access control (IAM) at the correct scope is to look at the Scope column and click the link next to (Inherited).

    Remove role assignment message for inherited role assignments

Next steps