This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Assign Azure roles using the Azure portal
- 3 minutes to read
- 4 contributors
Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using the Azure portal.
If you need to assign administrator roles in Azure Active Directory, see Assign Azure AD roles to users .
Prerequisites
To assign Azure roles, you must have:
- Microsoft.Authorization/roleAssignments/write permissions, such as User Access Administrator or Owner
Step 1: Identify the needed scope
When you assign roles, you must specify a scope. Scope is the set of resources the access applies to. In Azure, you can specify a scope at four levels from broad to narrow: management group , subscription, resource group , and resource. For more information, see Understand scope .
Sign in to the Azure portal .
In the Search box at the top, search for the scope you want to grant access to. For example, search for Management groups , Subscriptions , Resource groups , or a specific resource.
Click the specific resource for that scope.
The following shows an example resource group.
Step 2: Open the Add role assignment page
Access control (IAM) is the page that you typically use to assign roles to grant access to Azure resources. It's also known as identity and access management (IAM) and appears in several locations in the Azure portal.
Click Access control (IAM) .
The following shows an example of the Access control (IAM) page for a resource group.
Click the Role assignments tab to view the role assignments at this scope.
Click Add > Add role assignment .
If you don't have permissions to assign roles, the Add role assignment option will be disabled.
The Add role assignment page opens.
Step 3: Select the appropriate role
On the Roles tab, select a role that you want to use.
You can search for a role by name or by description. You can also filter roles by type and category.
In the Details column, click View to get more details about a role.
Click Next .
Step 4: Select who needs access
On the Members tab, select User, group, or service principal to assign the selected role to one or more Azure AD users, groups, or service principals (applications).
Click Select members .
Find and select the users, groups, or service principals.
You can type in the Select box to search the directory for display name or email address.
Click Select to add the users, groups, or service principals to the Members list.
To assign the selected role to one or more managed identities, select Managed identity .
In the Select managed identities pane, select whether the type is user-assigned managed identity or system-assigned managed identity .
Find and select the managed identities.
For system-assigned managed identities, you can select managed identities by Azure service instance.
Click Select to add the managed identities to the Members list.
In the Description box enter an optional description for this role assignment.
Later you can show this description in the role assignments list.
Step 5: (Optional) Add condition (preview)
If you selected a role that supports conditions, a Conditions (optional) tab will appear and you have the option to add a condition to your role assignment. A condition is an additional check that you can optionally add to your role assignment to provide more fine-grained access control.
Currently, conditions can be added to built-in or custom role assignments that have storage blob data actions . These include the following built-in roles:
- Storage Blob Data Contributor
- Storage Blob Data Owner
- Storage Blob Data Reader
- Storage Queue Data Contributor
- Storage Queue Data Message Processor
- Storage Queue Data Message Sender
- Storage Queue Data Reader
Click Add condition if you want to further refine the role assignments based on storage blob attributes. For more information, see Add or edit Azure role assignment conditions .
Step 6: Assign role
On the Review + assign tab, review the role assignment settings.
Click Review + assign to assign the role.
After a few moments, the security principal is assigned the role at the selected scope.
If you don't see the description for the role assignment, click Edit columns to add the Description column.
- Assign a user as an administrator of an Azure subscription
- Remove Azure role assignments
- Troubleshoot Azure RBAC
Submit and view feedback for
Additional resources
- Stack Overflow Public questions & answers
- Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
- Talent Build your employer brand
- Advertising Reach developers & technologists worldwide
- About the company
Collectives™ on Stack Overflow
Find centralized, trusted content and collaborate around the technologies you use most.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Not able to create AKS with role assignment write for subnet and ACR registry in Azure Cloud
My user id does not have sufficient permissions to perform this action. Only with basic network settings and no ACR binding, I can create AKS cluster. Which role, at Active Directory (AD) level and at subscription level, should my user id be having to create this AKS service?
- azure-active-directory
- subscription
You don't need any permissions on Azure AD level for this to work, but you need Microsoft.Authorization/roleAssignments/write permissions on the adequate scopes to be able to assign permissions. A built-in role of Owner grants that. Otherwise - create a custom role and assign that to your user.
Your Answer
Sign up or log in, post as a guest.
Required, but never shown
By clicking “Post Your Answer”, you agree to our terms of service , privacy policy and cookie policy
Not the answer you're looking for? Browse other questions tagged azure azure-active-directory subscription azure-aks or ask your own question .
- The Overflow Blog
- How Intuit democratizes AI development across teams through reusability sponsored post
- The nature of simulating nature: A Q&A with IBM Quantum researcher Dr. Jamie...
- Featured on Meta
- We've added a "Necessary cookies only" option to the cookie consent popup
- Launching the CI/CD and R Collectives and community editing features for...
- Staging Ground Beta 1 Recap, and Reviewers needed for Beta 2
- The [amazon] tag is being burninated
Hot Network Questions
- Why do many companies reject expired SSL certificates as bugs in bug bounties?
- Topological invariance of rational Pontrjagin classes for non-compact spaces
- Why are Suriname, Belize, and Guinea-Bissau classified as "Small Island Developing States"?
- Can airtags be tracked from an iMac desktop, with no iPhone?
- Bulk update symbol size units from mm to map units in rule-based symbology
- What sort of strategies would a medieval military use against a fantasy giant?
- Can I tell police to wait and call a lawyer when served with a search warrant?
- Are there tables of wastage rates for different fruit and veg?
- Why is there a voltage on my HDMI and coaxial cables?
- How can I explain to my manager that a project he wishes to undertake cannot be performed by the team?
- Do new devs get fired if they can't solve a certain bug?
- What is pictured in this SHERLOC camera?
- If you preorder a special airline meal (e.g. vegan) just to try it, does this inconvenience the caterers and staff?
- Confusion About Entropy
- Is lock-free synchronization always superior to synchronization using locks?
- How to calculate lattice parameter?
- How do particle accelerators like the LHC bend beams of particles?
- Why are physically impossible and logically impossible concepts considered separate in terms of probability?
- What can a lawyer do if the client wants him to be acquitted of everything despite serious evidence?
- How to react to a student’s panic attack in an oral exam?
- ncdu: What's going on with this second size column?
- How is Jesus "υἱὸς ὑψίστου κληθήσεται" (Luke 1:32 NAS28) different from a prophet (παιδίον, προφήτης ὑψίστου κληθήσῃ Luke 1:76 NAS28)?
- Is it suspicious or odd to stand by the gate of a GA airport watching the planes?
- Knocking Out Zombies
Your privacy
By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy .
Stack Exchange Network
Stack Exchange network consists of 181 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Azure custom permissions on subnet
We have a VNET that is coupled to an Express route, on which we will give our users access to specific subnets.
These subnets are created for each resource group, and the idea is to have these users only able to add machines in their subnet. To allow users to add machines to a subnet I gave them the following permissions:
- Read on Virtual Network
- Contributor on their subnet
However this allowed the users to select all subnets on the virtual network. It simply throws an error when you try to deploy a machine on a subnet you lack contributor on.
I tried creating custom roles, but if I am to create one that only disallows reading as such:
I get the error:
I assume this is because the actions value can not be empty. I'm not sure what I should/could safely add in the actions, and at this point it's starting to look like I'm putting together something complex for what should be quite simple.
So how should I set up/create roles to allow for a user to see and utilize only a single subnet within a larger VNET?
- permissions
- What is it your trying to achieve here, it seems overly complicated. If you only want users to be able to create VM's in specific subnets it sounds like you already achieved that. If you want users not to be able to see what machines are in other subnets then I don't think this is the right method. Even if you do manage to prevent this in the portal, the machines on different subnets can still communicate, users can still gather this data through network tools. If you want to complete separate your teams, then you need separate VNets. – Sam Cogan Oct 26, 2016 at 10:53
- @Sam I want people to be able to see only the subnets they are allowed to create machines in. We already have network security groups in place to prevent communication between subnets. the main problem is that users are presented with a large list of subnets, while they only have access to one. – Reaces Oct 26, 2016 at 11:00
- How many subnets are you talking about? If it's a small number it would be easier to create them as separate VNet's if your not going to allow communication between them anyway – Sam Cogan Oct 26, 2016 at 11:01
- @Sam Creating the subnets is scripted, and the idea is to allow different divisions to be in control of creating their own resource groups with subnet ranges defined by the scripting, currently there are 30, and probably more incoming. – Reaces Oct 26, 2016 at 11:04
We can not put restrictions on a specific subnet. I had the same issue.
The custom rules can only be applied on 1) Resource Groups 2) Resource (vnet is a resource and not subnets, subnets are the outcome of a resource) 3) Subscription
As explained, subnets are not resources and you will not be able to restrict which subnets can and cannot be used, via RBAC/Custom roles feature.
You might have to look into Azure Blueprints or Azure policies for that.
Your Answer
Sign up or log in, post as a guest.
Required, but never shown
By clicking “Post Your Answer”, you agree to our terms of service , privacy policy and cookie policy
Not the answer you're looking for? Browse other questions tagged permissions powershell azure or ask your own question .
- The Overflow Blog
- How Intuit democratizes AI development across teams through reusability sponsored post
- The nature of simulating nature: A Q&A with IBM Quantum researcher Dr. Jamie...
- Featured on Meta
- We've added a "Necessary cookies only" option to the cookie consent popup
Hot Network Questions
- How do particle accelerators like the LHC bend beams of particles?
- FAA Handbooks Copyrights
- Who owns code in a GitHub organization?
- Movie with vikings/warriors fighting an alien that looks like a wolf with tentacles
- Why are Suriname, Belize, and Guinea-Bissau classified as "Small Island Developing States"?
- How do I connect these two faces together?
- What sort of strategies would a medieval military use against a fantasy giant?
- Is a collection of years plural or singular?
- What's the difference between a power rail and a signal line?
- "We, who've been connected by blood to Prussia's throne and people since Düppel"
- Tips for golfing in SVG
- Does a summoned creature play immediately after being summoned by a ready action?
- Acidity of alcohols and basicity of amines
- What did Ctrl+NumLock do?
- Time arrow with "current position" evolving with overlay number
- Why are non-Western countries siding with China in the UN?
- Why are trials on "Law & Order" in the New York Supreme Court?
- A-Z related to countries
- What can a lawyer do if the client wants him to be acquitted of everything despite serious evidence?
- Theoretically Correct vs Practical Notation
- Why should transaction_version change with removals?
- Finite abelian groups with fewer automorphisms than a subgroup
- How to react to a student’s panic attack in an oral exam?
- My code is GPL licensed, can I issue a license to have my code be distributed in a specific MIT licensed project?
Your privacy
By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy .
- No suggested jump to results
- Notifications
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
roleAssignments on subnet for AKS network contributer #1972
dirien commented Mar 23, 2021
- 👍 1 reaction
anthony-c-martin commented Mar 23, 2021
- 🎉 1 reaction
Sorry, something went wrong.
dirien commented Mar 25, 2021
No branches or pull requests
IMAGES
VIDEO
COMMENTS
To do tasks on subnets, your account must be assigned to the Network contributor role or to a Custom role that's assigned the appropriate actions in the following table: Next steps Create a virtual network and subnets using PowerShell or Azure CLI sample scripts, or using Azure Resource Manager templates
Assign Azure roles using the Azure portal Article 09/28/2022 3 minutes to read 4 contributors Feedback In this article Prerequisites Step 1: Identify the needed scope Step 2: Open the Add role assignment page Step 3: Select the appropriate role Show 4 more
And the command just shows Could not create a role assignment for subnet. Are you an Owner on this subscription? instead of showing the root issue. I've made the subnet range bigger, then an AKS cluster creation succeeded, but still the message Could not create a role assignment for subnet.
1 You don't need any permissions on Azure AD level for this to work, but you need Microsoft.Authorization/roleAssignments/write permissions on the adequate scopes to be able to assign permissions. A built-in role of Owner grants that. Otherwise - create a custom role and assign that to your user. Share Follow answered Jun 23, 2020 at 7:42
These subnets are created for each resource group, and the idea is to have these users only able to add machines in their subnet. To allow users to add machines to a subnet I gave them the following permissions: Read on Virtual Network Contributor on their subnet However this allowed the users to select all subnets on the virtual network.
roleAssignments on subnet for AKS network contributer #1972 Closed dirien opened this issue on Mar 22, 2021 · 2 comments dirien commented on Mar 22, 2021 Create a virtual network with a subnet inside for the AKS agentpool subnet Create an AKS Cluster msftbot bot added the Needs: Triage label on Mar 22, 2021