Add Azure role assignment conditions using Azure Resource Manager templates
An Azure role assignment condition is an additional check that you can optionally add to your role assignment to provide more fine-grained access control. For example, you can add a condition that requires an object to have a specific tag to read the object. This article describes how to add conditions for your role assignments using Azure Resource Manager templates.
Prerequisites
You must use the following versions:
2020-03-01-previewor later2020-04-01-previewor later if you want to utilize thedescriptionproperty for role assignments2022-04-01is the first stable version
For more information about the prerequisites to add role assignment conditions, see Conditions prerequisites.
Add a condition
The following template shows how to assign the Storage Blob Data Reader role with a condition. The condition checks whether the container name equals 'blobs-example-container'.
To use the template, you must specify the following input:
- The ID of a user, group, managed identity, or application to assign the role to.
- The type of principal, such as
User,Group, orServicePrincipal. For more information, see New service principal.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string",
"metadata": {
"description": "Principal ID to assign the role to"
}
},
"principalType": {
"type": "string",
"metadata": {
"description": "Type of principal"
}
},
"roleAssignmentGuid": {
"type": "string",
"defaultValue": "[newGuid()]",
"metadata": {
"description": "New GUID used to identify the role assignment"
}
}
},
"variables": {
"StorageBlobDataReader": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]" // ID for Storage Blob Data Reader role, but can be any valid role ID
},
"resources": [
{
"name": "[parameters('roleAssignmentGuid')]",
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01", // API version to call the role assignment PUT.
"properties": {
"roleDefinitionId": "[variables('StorageBlobDataReader')]",
"principalId": "[parameters('principalId')]",
"principalType": "[parameters('principalType')]",
"description": "Role assignment condition created with an ARM template",
"condition": "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'))", // Role assignment condition
"conditionVersion": "2.0"
}
}
]
}
The scope of the role assignment is determined from the level of the deployment. Here are example New-AzResourceGroupDeployment and az deployment group create commands for how to start the deployment at a resource group scope.
New-AzResourceGroupDeployment -ResourceGroupName example-group -TemplateFile rbac-test.json -principalId $principalId -principalType "User"
az deployment group create --resource-group example-group --template-file rbac-test.json --parameters principalId=$principalId principalType="User"
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for