az role assignment
Manage role assignments.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az role assignment create |
Create a new role assignment for a user, group, or service principal. |
Core | GA |
| az role assignment delete |
Delete role assignments. |
Core | GA |
| az role assignment list |
List role assignments. |
Core | GA |
| az role assignment list-changelogs |
List changelogs for role assignments. |
Core | GA |
| az role assignment update |
Update an existing role assignment for a user, group, or service principal. |
Core | GA |
az role assignment create
Create a new role assignment for a user, group, or service principal.
az role assignment create --role
--scope
[--assignee]
[--assignee-object-id]
[--assignee-principal-type {ForeignGroup, Group, ServicePrincipal, User}]
[--condition]
[--condition-version]
[--description]
[--name]Examples
Create role assignment to grant the specified assignee the Reader role on an Azure virtual machine.
az role assignment create --assignee sp_name --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virtualMachines/MyVmCreate role assignment for an assignee with description and condition.
az role assignment create --role Owner --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Storage/storageAccounts/MyStorageAccount --assignee "John.Doe@Contoso.com" --description "Role assignment foo to check on bar" --condition "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] stringEquals 'foo'" --condition-version "2.0"Create role assignment with your own assignment name.
az role assignment create --assignee-object-id 00000000-0000-0000-0000-000000000000 --assignee-principal-type ServicePrincipal --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup --name 00000000-0000-0000-0000-000000000000Required Parameters
Role name or id.
Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.
Use this parameter instead of '--assignee' to bypass Graph API invocation in case of insufficient privileges. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.
Use with --assignee-object-id to avoid errors caused by propagation latency in Microsoft Graph.
| Property | Value |
|---|---|
| Accepted values: | ForeignGroup, Group, ServicePrincipal, User |
Condition under which the user can be granted permission.
Version of the condition syntax. If --condition is specified without --condition-version, default to 2.0.
Description of role assignment.
A GUID for the role assignment. It must be unique and different for each role assignment. If omitted, a new GUID is generated.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az role assignment delete
Delete role assignments.
az role assignment delete [--assignee]
[--ids]
[--include-inherited]
[--resource-group]
[--role]
[--scope]
[--yes]Examples
Delete role assignments. (autogenerated)
az role assignment delete --assignee 00000000-0000-0000-0000-000000000000 --role "Storage Account Key Operator Service Role"Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.
Space-separated role assignment ids.
Include assignments applied on parent scopes.
| Property | Value |
|---|---|
| Default value: | False |
Use it only if the role or assignment was added at the level of a resource group.
Role name or id.
Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.
Continue to delete all assignments under the subscription.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az role assignment list
List role assignments.
By default, only assignments scoped to subscription will be displayed. To view assignments scoped by resource or group, use --all.
[WARNING] Azure classic subscription administrators will be retired on August 31, 2024. After August 31, 2024, all classic administrators risk losing access to the subscription. Delete classic administrators who no longer need access or assign an Azure RBAC role for fine-grained access control. Learn more: https://go.microsoft.com/fwlink/?linkid=2238474.
az role assignment list [--all]
[--assignee]
[--include-classic-administrators {false, true}]
[--include-groups]
[--include-inherited]
[--resource-group]
[--role]
[--scope]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Show all assignments under the current subscription.
| Property | Value |
|---|---|
| Default value: | False |
Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.
Option '--include-classic-administrators' has been deprecated and will be removed in a future release.
List default role assignments for subscription classic administrators, aka co-admins.
| Property | Value |
|---|---|
| Default value: | False |
| Accepted values: | false, true |
Include extra assignments to the groups of which the user is a member(transitively).
| Property | Value |
|---|---|
| Default value: | False |
Include assignments applied on parent scopes.
| Property | Value |
|---|---|
| Default value: | False |
Use it only if the role or assignment was added at the level of a resource group.
Role name or id.
Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az role assignment list-changelogs
List changelogs for role assignments.
az role assignment list-changelogs [--end-time]
[--start-time]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
The end time of the query in the format of %Y-%m-%dT%H:%M:%SZ, e.g. 2000-12-31T12:59:59Z. Defaults to the current time.
The start time of the query in the format of %Y-%m-%dT%H:%M:%SZ, e.g. 2000-12-31T12:59:59Z. Defaults to 1 Hour prior to the current time.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az role assignment update
Update an existing role assignment for a user, group, or service principal.
az role assignment update --role-assignmentExamples
Update a role assignment from a JSON file.
az role assignment update --role-assignment assignment.jsonUpdate a role assignment from a JSON string. (Bash)
az role assignment update --role-assignment '{
"canDelegate": null,
"condition": "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] stringEquals '"'"'foo'"'"'",
"conditionVersion": "2.0",
"description": "Role assignment foo to check on bar",
"id": "/subscriptions/00000001-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.Authorization/roleAssignments/3eabdd43-375b-4dbd-8dc4-04acd15ce56b",
"name": "3eabdd43-375b-4dbd-8dc4-04acd15ce56b",
"principalId": "00000002-0000-0000-0000-000000000000",
"principalType": "User",
"resourceGroup": "rg1",
"roleDefinitionId": "/subscriptions/00000001-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
"scope": "/subscriptions/00000001-0000-0000-0000-000000000000/resourceGroups/rg1",
"type": "Microsoft.Authorization/roleAssignments"
}'Required Parameters
Description of an existing role assignment as JSON, or a path to a file containing a JSON description.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
