Manage users and roles

Important

This is the Azure Sphere (Legacy) documentation. Azure Sphere (Legacy) is retiring on 27 September 2027, and users must migrate to Azure Sphere (Integrated) by this time. Use the Version selector located above the TOC to view the Azure Sphere (Integrated) documentation.

To access an Azure Sphere tenant, a user must be assigned a role in the tenant. Only a user with the Administrator role can assign a role to another user.

User roles

The following tenant user roles are supported:

  • An Administrator has full access to all devices and operations within the tenant, including the permission to add or delete other users. Your organization should have at least two logins with this role, but no more logins than necessary.
  • A Contributor can claim devices, add devices and device groups, download device capabilities, and create and change deployments, but cannot perform any delete operations. Software and hardware developers who create applications, manage connected devices, and update deployments but are not responsible for managing tenant access should have the Contributor role.
  • A Reader has access to information about the tenant, including claimed devices, deployments, and when available, any error reporting data from devices. This role is appropriate for maintenance and operations personnel who are responsible for tracking connected device performance at end-user installations.

Add new users to existing tenants

To assign a role to a user in an Azure Sphere tenant, an Adminstrator should:

Run the azsphere role add command.

Example:

azsphere role add --role <role> --user <email-address>

Note: This command will automatically register the user's Microsoft account with Azure Sphere, if they are not registered yet. Previously, the register-user command was required to register a new user with Azure Sphere; this is now automatically done when adding a user to a new role with an existing tenant, so you do not need to perform this step separately.

Delete the role of an existing user

To delete a role from a user in an Azure Sphere tenant, an Adminstrator should:

Run the azsphere role delete command.

Example:

azsphere role delete --role <role> --user <email-address>

Change the role of an existing user

To change the role for a user in an Azure Sphere tenant, an Administrator should first remove the user's existing role, then assign a new role.

See also

Create a new tenant

Quickstart: Choose a tenant and claim your device

CLI reference: azsphere tenant