Share via

What are the minimal RBAC permissions required to send email using Azure Communication Services EmailClient?

Craig Wallace 0 Reputation points
2025-07-09T09:30:02.3233333+00:00

I am using EmailClient from Azure.Communication.Email to send email via Azure Communication Services. It works but the app identity currently has the 'Communication and Email Service Owner' role. I want to create a custom role with the minimal permissions needed to send emails via EmailClient. What permissions do I need? I can't find this clearly documented anywhere.

Azure Communication Services

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jacquelin Martineau-Rousseau 135 Reputation points
    2025-07-16T14:59:58.03+00:00

    Hi Craig,

    I have had this exact problem. I ended up creating a custom role with the following permissions for this purpose. It works well.

    "permissions": [
	{
		"actions": [
			"Microsoft.Communication/CommunicationServices/Read",
			"Microsoft.Communication/EmailServices/read",
			"Microsoft.Communication/EmailServices/write",
			"Microsoft.Communication/EmailServices/Domains/read",
			"Microsoft.Communication/EmailServices/Domains/SenderUsernames/read",
			"Microsoft.Communication/EmailServices/Domains/SuppressionLists/read",
			"Microsoft.Communication/EmailServices/Domains/SuppressionLists/SuppressionListAddresses/read",
			"Microsoft.Communication/Operations/read",
			"Microsoft.Communication/CommunicationServices/Write",
			"Microsoft.Communication/RegisteredSubscriptions/read"	
		],
		"notActions": [],
		"dataActions": [],
		"notDataActions": []
	}
]

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. Shree Hima Bindu Maganti 7,420 Reputation points Microsoft External Staff Moderator
    2025-07-09T18:47:34.8133333+00:00

    Hi @Craig Wallace
    To send emails with Azure Communication Services EmailClient, ensure your custom role includes these minimum RBAC permissions:

    To get started, you'll need the following permissions related to Microsoft.Communication:

    Read Email Services: Microsoft.Communication/EmailServices/read

    Create or Update Email Services: Microsoft.Communication/EmailServices/write

    Manage Domains: You will need permissions to manage the email domains you're using:

    • Microsoft.Communication/EmailServices/Domains/read
    • Microsoft.Communication/EmailServices/Domains/write
    • Microsoft.Communication/EmailServices/Domains/delete

    Additionally, you may want to include specific actions related to SenderUsernames if you intend on managing sender credentials:

    • Microsoft.Communication/EmailServices/Domains/SenderUsernames/read
    • Microsoft.Communication/EmailServices/Domains/SenderUsernames/write

    These permissions are sufficient for sending emails, without the broader access given by the 'Communication and Email Service Owner' role.

    For more details, see:

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.