az role assignment
Manage role assignments.
Commands
| az role assignment create |
Create a new role assignment for a user, group, or service principal. |
| az role assignment delete |
Delete role assignments. |
| az role assignment list |
List role assignments. |
| az role assignment list-changelogs |
List changelogs for role assignments. |
| az role assignment update |
Update an existing role assignment for a user, group, or service principal. |
az role assignment create
Create a new role assignment for a user, group, or service principal.
--scope argument will become required for creating a role assignment in the breaking change release of the fall of 2023. Please explicitly specify --scope.
az role assignment create --role
[--assignee]
[--assignee-object-id]
[--assignee-principal-type {ForeignGroup, Group, ServicePrincipal, User}]
[--condition]
[--condition-version]
[--description]
[--name]
[--resource-group]
[--scope]Examples
Create role assignment to grant the specified assignee the Reader role on an Azure virtual machine.
az role assignment create --assignee sp_name --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virtualMachines/MyVmCreate role assignment for an assignee with description and condition.
az role assignment create --role Owner --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Storage/storageAccounts/MyStorageAccount --assignee "John.Doe@Contoso.com" --description "Role assignment foo to check on bar" --condition "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] stringEquals 'foo'" --condition-version "2.0"Create role assignment with your own assignment name.
az role assignment create --assignee-object-id 00000000-0000-0000-0000-000000000000 --assignee-principal-type ServicePrincipal --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup --name 00000000-0000-0000-0000-000000000000Required Parameters
Role name or id.
Optional Parameters
Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.
Use this parameter instead of '--assignee' to bypass Graph API invocation in case of insufficient privileges. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.
Use with --assignee-object-id to avoid errors caused by propagation latency in AAD Graph.
Condition under which the user can be granted permission.
Version of the condition syntax. If --condition is specified without --condition-version, default to 2.0.
Description of role assignment.
A GUID for the role assignment. It must be unique and different for each role assignment. If omitted, a new GUID is generetd.
Use it only if the role or assignment was added at the level of a resource group.
Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az role assignment delete
Delete role assignments.
az role assignment delete [--assignee]
[--ids]
[--include-inherited]
[--resource-group]
[--role]
[--scope]
[--yes]Examples
Delete role assignments. (autogenerated)
az role assignment delete --assignee 00000000-0000-0000-0000-000000000000 --role "Storage Account Key Operator Service Role"Optional Parameters
Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.
Space-separated role assignment ids.
Include assignments applied on parent scopes.
Use it only if the role or assignment was added at the level of a resource group.
Role name or id.
Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.
Continue to delete all assignments under the subscription.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az role assignment list
List role assignments.
By default, only assignments scoped to subscription will be displayed. To view assignments scoped by resource or group, use --all.
az role assignment list [--all]
[--assignee]
[--include-classic-administrators {false, true}]
[--include-groups]
[--include-inherited]
[--resource-group]
[--role]
[--scope]Optional Parameters
Show all assignments under the current subscription.
Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.
List default role assignments for subscription classic administrators, aka co-admins.
Include extra assignments to the groups of which the user is a member(transitively).
Include assignments applied on parent scopes.
Use it only if the role or assignment was added at the level of a resource group.
Role name or id.
Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az role assignment list-changelogs
List changelogs for role assignments.
az role assignment list-changelogs [--end-time]
[--start-time]Optional Parameters
The end time of the query in the format of %Y-%m-%dT%H:%M:%SZ, e.g. 2000-12-31T12:59:59Z. Defaults to the current time.
The start time of the query in the format of %Y-%m-%dT%H:%M:%SZ, e.g. 2000-12-31T12:59:59Z. Defaults to 1 Hour prior to the current time.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az role assignment update
Update an existing role assignment for a user, group, or service principal.
az role assignment update --role-assignmentExamples
Update a role assignment from a JSON file.
az role assignment update --role-assignment assignment.jsonUpdate a role assignment from a JSON string. (Bash)
az role assignment update --role-assignment '{
"canDelegate": null,
"condition": "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] stringEquals '"'"'foo'"'"'",
"conditionVersion": "2.0",
"description": "Role assignment foo to check on bar",
"id": "/subscriptions/00000001-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.Authorization/roleAssignments/3eabdd43-375b-4dbd-8dc4-04acd15ce56b",
"name": "3eabdd43-375b-4dbd-8dc4-04acd15ce56b",
"principalId": "00000002-0000-0000-0000-000000000000",
"principalType": "User",
"resourceGroup": "rg1",
"roleDefinitionId": "/subscriptions/00000001-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
"scope": "/subscriptions/00000001-0000-0000-0000-000000000000/resourceGroups/rg1",
"type": "Microsoft.Authorization/roleAssignments"
}'Required Parameters
Description of an existing role assignment as JSON, or a path to a file containing a JSON description.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Feedback
Submit and view feedback for