Assign an RBAC role to a Resource Group

Browse code

This template assigns Owner, Reader or Contributor access to an existing resource group. To learn more about how to deploy the template, see the quickstart article.

Inputs to this template are following fields:

• Principal ID
• Role Definition ID

Use the following Azure PowerShell cmdlet to get Principal ID associated with a user using their email id. Please note, principal id maps to the id inside the directory and can point to a user, service principal, or security group. The ObjectId is the principal ID.

PS C:\> Get-AzADUser -mail <email id>

DisplayName                    Type                           ObjectId
-----------                    ----                           --------
<NAME>                                                        xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Use the following Azure PowerShell cmdlet to learn about role definitions.

PS C:\> Get-AzRoleDefinition -Name "reader"

Name             : Reader
Id               : acdd72a7-3385-48ef-bd42-f606fba81ae7
IsCustom         : False
Description      : Lets you view everything, but not make any changes.
Actions          : {*/read}
NotActions       : {}
DataActions      : {}
NotDataActions   : {}
AssignableScopes : {/}

You can use the same cmdlet to get the role definition ID for owner and contributor.

"Owner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
"Contributor": "b24988ac-6180-42a0-ab88-20f7382dd24c"
"Reader": "acdd72a7-3385-48ef-bd42-f606fba81ae7"

If you're new to RBAC for Azure resources, see:

• RBAC documentation
• RBAC template reference
• Quickstart templates

If you're new to the template development, see:

• Azure Resource Manager documentation
• Create resource groups and resources at the subscription level

Tags: RBAC for Azure resources, role-based access control, Resource Manager, Resource Manager templates, ARM templates, Microsoft.Authorization/roleAssignments