Share via

Role Required to assign RBAC PIM assignments

Cole Duprey 20 Reputation points
2025-06-05T12:51:33.97+00:00

Hello,

I am using a service principal for Terraform to deploy PIM assignments for custom roles at the subscription level. These custom roles are Azure Resource/RBAC roles (NOT EntraID roles) reside at the top MG level.

I cannot find the correct built-in role for the service principal to be able to deploy these PIM assignments. From my research User Access Admin should be enough as i have tested it on my local machine - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles

Can anyone point me in the right direction?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
976 questions
0 comments
Accepted answer
  1. Sanoop M 4,310 Reputation points Moderator
    2025-06-06T10:04:43.5933333+00:00

    Hello @Cole Duprey,

    Please note that to deploy Privileged Identity Management (PIM) assignments for Azure Resource/RBAC custom roles at the subscription or management group (MG) level using a service principal, the service principal must have sufficient permissions to manage role assignments via PIM.

    User's image

    Required Built-in Role

    The User Access Administrator or Owner built-in Azure role is required for this scenario:

    • User Access Administrator: Grants the ability to manage user access to Azure resources. This includes assigning roles (including PIM eligible/active assignments) at any scope, such as management group, subscription, or resource group. This is the least privileged built-in role that allows managing role assignments and is recommended for automation scenarios like Terraform.
    • Owner: Has full access to all resources, including the ability to delegate access to others. This role is broader than User Access Administrator and also works, but it grants more permissions than necessary.

    Recommendation:

    Assign the User Access Administrator role to your service principal at the management group or subscription level where you need to manage PIM assignments for custom RBAC roles.

    Please follow the steps as mentioned in the below document to assign Azure resource roles in Privileged Identity Management.

    Assign Azure resource roles in Privileged Identity Management

    Reference document which will be helpful:

    What is Privileged Identity Management?

    I hope the above information provided is helpful. Please feel free to reach out to us if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment"

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.