Manage service principal roles
In order to restrict access to your Azure resources, you can use a service principal to manage role assignments. Each role provides different permissions allowed by the user when accessing Azure resources. This step in the tutorial explains how to create and remove service principal roles.
The Azure CLI has the following commands to manage role assignments:
Create or remove a role assignment
The Contributor role has full permissions to read and write to an Azure account. The Reader role is more restrictive with read-only access. Always use the principle of least privilege. For a complete list of available roles in Azure RBAC, see Azure built-in roles.
Adding a role doesn't restrict previously assigned permissions. This example adds the Reader role and removes the Contributor role:
az role assignment create --assignee myServicePrincipalID \
--role Reader \
--scope /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName
az role assignment delete --assignee myServicePrincipalID \
--role Contributor \
--scope /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName
Output Console:
{
"condition": null,
"conditionVersion": null,
"createdBy": null,
"createdOn": "yyyy-mm-ddT00:00:00.000000+00:00",
"delegatedManagedIdentityResourceId": null,
"description": null,
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000",
"name": "00000000-0000-0000-0000-000000000000",
"principalId": "00000000-0000-0000-0000-000000000000",
"principalType": "ServicePrincipal",
"roleDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroupName",
"type": "Microsoft.Authorization/roleAssignments",
"updatedBy": "00000000-0000-0000-0000-000000000000",
"updatedOn": "yyyy-mm-ddT00:00:00.000000+00:00"
}
How to get a value for the scope parameter
One question you might have is "How do I know the --scope parameter value?" The answer is to find and copy the Resource ID of the Azure resource your service principal needs to access. This information is usually found in the Azure portal's Properties or Endpoints page of each resource. Here are common --scope examples, but rely on your Resource ID for an actual format and value.
| Scope | Example |
|---|---|
| Subscription | /subscriptions/mySubscriptionID |
| Resource group | /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName |
| Virtual machine | /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName/providers/Microsoft.Compute/virtualMachines/myVMname |
| Storage account file service | /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName/providers/Microsoft.Storage/storageAccounts/myStorageAccountName/fileServices/default |
| Data factory | /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName/providers/Microsoft.DataFactory/factories/myDataFactoryName |
For more scope examples, see Understand scope for Azure RBAC.
Verify changes
The changes can be verified by listing the assigned roles:
# list all role assignments for the current subscription
az role assignment list ---output table
# list role assignments for a user
az role assignment list --assignee myUserName@contoso.com
# list role assignments for a subscription
az role assignment list --subscription mySubscriptionID
You can also go into the Azure portal and manually assign the role to the service principal from the Access control (IAM) menu. For more examples on listing role assignments, see List Azure role assignments using Azure CLI.
Next Steps
Now that you've learned how to manage your service principal roles, proceed to the next step to learn how to use service principals to create a resource.
