Configure Azure RBAC for FHIR


Azure API for FHIR will be retired on September 30, 2026. Follow the migration strategies to transition to Azure Health Data Services FHIR service by that date. Due to the retirement of Azure API for FHIR, new deployments won't be allowed beginning April 1, 2025. Azure Health Data Services FHIR service is the evolved version of Azure API for FHIR that enables customers to manage FHIR, DICOM, and MedTech services with integrations into other Azure services.

In this article, you'll learn how to use Azure role-based access control (Azure RBAC) to assign access to the Azure API for FHIR data plane. Azure RBAC is the preferred methods for assigning data plane access when data plane users are managed in the Microsoft Entra tenant associated with your Azure subscription. If you're using an external Microsoft Entra tenant, refer to the local RBAC assignment reference.

Confirm Azure RBAC mode

To use Azure RBAC, your Azure API for FHIR must be configured to use your Azure subscription tenant for data plane and there should be no assigned identity object IDs. You can verify your settings by inspecting the Authentication blade of your Azure API for FHIR:

Confirm Azure RBAC mode

The Authority should be set to the Microsoft Entra tenant associated with your subscription and there should be no GUIDs in the box labeled Allowed object IDs. You'll also notice that the box is disabled and a label indicates that Azure RBAC should be used to assign data plane roles.

Assign roles

To grant users, service principals or groups access to the FHIR data plane, select Access control (IAM), then select Role assignments and select + Add:

Add Azure role assignment

In the Role selection, search for one of the built-in roles for the FHIR data plane:

Built-in FHIR data roles

You can choose between:

  • FHIR Data Reader: Can read (and search) FHIR data.
  • FHIR Data Writer: Can read, write, and soft delete FHIR data.
  • FHIR Data Exporter: Can read and export ($export operator) data.
  • FHIR Data Contributor: Can perform all data plane operations.

In the Select box, search for a user, service principal, or group that you wish to assign the role to.


Make sure that the client application registration is completed. See details on application registration If OAuth 2.0 authorization code grant type is used, grant the same FHIR application role to the user. If OAuth 2.0 client credentials grant type is used, this step is not required.

Caching behavior

The Azure API for FHIR will cache decisions for up to 5 minutes. If you grant a user access to the FHIR server by adding them to the list of allowed object IDs, or you remove them from the list, you should expect it to take up to five minutes for changes in permissions to propagate.

Next steps

In this article, you learned how to assign Azure roles for the FHIR data plane. For information about Azure API for FHIR configuration settings, see

FHIR® is a registered trademark of HL7 and is used with the permission of HL7.