Assign an RBAC role to a Resource Group

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check Bicep Version Deploy To Azure Deploy To Azure US Gov Visualize

This template assigns Owner, Reader or Contributor access to an existing resource group. To learn more about how to deploy the template, see the quickstart article.

Inputs to this template are following fields:

  • Principal ID
  • Role Definition ID

Use the following Azure PowerShell cmdlet to get Principal ID associated with a user using their email id. Please note, principal id maps to the id inside the directory and can point to a user, service principal, or security group. The ObjectId is the principal ID.

PS C:\> Get-AzADUser -mail <email id>

DisplayName                    Type                           ObjectId
-----------                    ----                           --------
<NAME>                                                        xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Use the following Azure PowerShell cmdlet to learn about role definitions.

PS C:\> Get-AzRoleDefinition -Name "reader"

Name             : Reader
Id               : acdd72a7-3385-48ef-bd42-f606fba81ae7
IsCustom         : False
Description      : Lets you view everything, but not make any changes.
Actions          : {*/read}
NotActions       : {}
DataActions      : {}
NotDataActions   : {}
AssignableScopes : {/}

You can use the same cmdlet to get the role definition ID for owner and contributor.

"Owner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
"Contributor": "b24988ac-6180-42a0-ab88-20f7382dd24c"
"Reader": "acdd72a7-3385-48ef-bd42-f606fba81ae7"

If you're new to RBAC for Azure resources, see:

If you're new to the template development, see:

Tags: RBAC for Azure resources, role-based access control, Resource Manager, Resource Manager templates, ARM templates, Microsoft.Authorization/roleAssignments