Add or remove Azure role assignments using the Azure portal
Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using the Azure portal.
If you need to assign administrator roles in Azure Active Directory, see View and assign administrator roles in Azure Active Directory.
To add or remove role assignments, you must have:
Microsoft.Authorization/roleAssignments/deletepermissions, such as User Access Administrator or Owner
Add a role assignment
In Azure RBAC, to grant access to an Azure resource, you add a role assignment. Follow these steps to assign a role. For a high-level overview of steps, see Steps to add a role assignment.
Step 1: Identify the needed scope
When you assign roles, you must specify a scope. Scope is the set of resources the access applies to. In Azure, you can specify a scope at four levels from broad to narrow: management group, subscription, resource group, and resource.
It's a best practice to grant security principals the least privilege they need to perform their job. Avoid assigning broader roles at broader scopes even if it initially seems more convenient. By limiting roles and scopes, you limit what resources are at risk if the security principal is ever compromised. For more information about scope, see Understand scope.
Sign in to the Azure portal.
In the Search box at the top, search for the scope you want to grant access to. For example, search for Management groups, Subscriptions, Resource groups, or a specific resource.
Click the specific resource for that scope.
The following shows an example resource group.
Step 2: Open the Add role assignment pane
Access control (IAM) is the page that you typically use to assign roles to grant access to Azure resources. It's also known as identity and access management (IAM) and appears in several locations in the Azure portal.
Click Access control (IAM).
The following shows an example of the Access control (IAM) page for a resource group.
Click the Role assignments tab to view the role assignments at this scope.
Click Add > Add role assignment. If you don't have permissions to assign roles, the Add role assignment option will be disabled.
The Add role assignment pane opens.
Step 3: Select the appropriate role
In the Role list, search or scroll to find the role that you want to assign.
To help you determine the appropriate role, you can hover over the info icon to display a description for the role. For additional information, you can view the Azure built-in roles article.
Click to select the role.
Step 4: Select who needs access
In the Assign access to list, select the type of security principal to assign access to.
Type Description User, group, or service principal If you want to assign the role to a user, group, or service principal (application), select this type. User assigned managed identity If you want to assign the role to a user-assigned managed identity, select this type. System assigned managed identity If you want to assign the role to a system-assigned managed identity, select the Azure service instance where the managed identity is located.
If you selected a user-assigned managed identity or a system-assigned managed identity, select the Subscription where the managed identity is located.
In the Select section, search for the security principal by entering a string or scrolling through the list.
Once you have found the security principal, click to select it.
Step 5: Assign role
To assign the role, click Save.
After a few moments, the security principal is assigned the role at the selected scope.
On the Role assignments tab, verify that you see the role assignment in the list.
Remove a role assignment
In Azure RBAC, to remove access from an Azure resource, you remove a role assignment. Follow these steps to remove a role assignment.
Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.
Click the Role assignments tab to view all the role assignments at this scope.
In the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.
In the remove role assignment message that appears, click Yes.
If you see a message that inherited role assignments cannot be removed, you are trying to remove a role assignment at a child scope. You should open Access control (IAM) at the scope where the role was assigned and try again. A quick way to open Access control (IAM) at the correct scope is to look at the Scope column and click the link next to (Inherited).