Azure RBAC Roles

Azure RBAC Roles

Azure RBAC (Role-Based Access Control) roles allow you to make very detailed delegation of access to various Azure infrastructure components.

You can e.g. delegate the right to manage virtual networks in a particular resource group – or even a particular VPN.

For large organizations it makes very good sense to (only) delegate access to relevant parts of the infrastructure to specialized teams. Even smaller organizations can improve their security by limiting what accesses are given e.g. to trainees or external consultants.

This article will show you how to use PowerShell to

  • List what RBAC roles exist
  • List what permissions are included in a particular RBAC role
  • List all users that have a particular RBAC role assigned
  • List what RBAC roles a particular user is assigned
  • List all RBAC roles that are assigned to an identity

But let’s start by visualizing the RBAC roles inside the Azure Portal.

Managing RBAC Roles Using the Azure Portal

To see what RBAC roles exist, what identities that have the role assigned and what permissions are included in the role, go to the Azure Portal. Select your subscription, click on Access Control (IAM) and click Roles to see a full list of RBAC roles: 

RBAC Roles Azure Portal

If you click on any of the roles you’ll be able to see what identities currently have the role assigned:

RBAC Role member

Clicking Permissions will show you what resource providers includes permissions in this particular RBAC role:

And finally, clicking the individual resource providers will show you the details of the permissions available to identities assigned with this particular RBAC role:

RBAC Resource Permissions

As seen in the above screenshots the RBAC role model gives you very detailed control with delegation of rights to your Azure resources.

Managing RBAC Roles Using PowerShell

PowerShell is a nice way to automate repetitive tasks and ensure that things are done the same way every time. This will also benefit your RBAC role management so let’s dive in!

Connect to AzureRM Using PowerShell

To manage RBAC roles we’ll be using the Azure Resource Manager module for PowerShell. If this is first use, use the following script to install the module and connect to Azure Resource Manager:

# Install the Azure Resource Manager module if this is first use
Install-Module AzureRM
# Add the AzureRM module to the PowerShell session
Import-Module AzureRM
# Connect to Azure
Connect-AzureRmAccount

The following scripts will assume you already have established a connection with AzureRM.

List All RBAC Roles

To list all RBAC roles you can use the following command:

Get-AzureRmRoleDefinition | Sort-Object Name | ft Name,Id,Description

If we format the output in a table you have a nice overview of the standard RBAC roles, their ID and a description:

Azure RM Roles

NameIdDescription
AcrDeletec2f4ef07-c644-48eb-af81-4b1b4947fb11acr delete
AcrImageSigner6cef56e8-d556-48e5-a04f-b8e64114680facr image signer
AcrPull7f951dda-4ed3-4680-a7ca-43fe172d538dacr pull
AcrPush8311e382-0749-4cb8-b61a-304f252e45ecacr push
AcrQuarantineReadercdda3590-29a3-44f6-95f2-9f980659eb04acr quarantine data reader
AcrQuarantineWriterc8d4ff99-41c3-41a8-9f60-21dfdad59608acr quarantine data writer
API Management Service Contributor312a565d-c81f-4fd8-895a-4e21e48d571cCan manage service and the APIs
API Management Service Operator Rolee022efe7-f5ba-4159-bbe4-b44f577e9b61Can manage service but not the APIs
API Management Service Reader Role71522526-b88f-4d52-b57f-d31fc3546d0dRead-only access to service and APIs
App Configuration Data Owner5ae67dd6-50cb-40e7-96ff-dc2bfa4b606bAllows full access to App Configuration data.
App Configuration Data Reader516239f1-63e1-4d78-a4de-a74fb236a071Allows read access to App Configuration data.
Application Insights Component Contributorae349356-3a1b-4a5e-921d-050484c6347eCan manage Application Insights components
Application Insights Snapshot Debugger08954f03-6346-4c2e-81c0-ec3a5cfae23bGives user permission to use Application Insights Snapshot Debugger features
Attestation Contributorbbf86eb8-f7b4-4cce-96e4-18cddf81d86eCan read write or delete the attestation provider instance
Attestation Readerfd1bd22b-8476-40bc-a0bc-69b95687b9f3Can read the attestation provider properties
Automation Job Operator4fe576fe-1146-4730-92eb-48519fa6bf9fCreate and Manage Jobs using Automation Runbooks.
Automation Operatord3881f73-407a-4167-8283-e981cbba0404Automation Operators are able to start, stop, suspend, and resume jobs
Automation Runbook Operator5fb5aef8-1081-4b8e-bb16-9d5d0385bab5Read Runbook properties – to be able to create Jobs of the runbook.
Avere Contributor4f8fab4f-1852-4a58-a46a-8eaf358af14aCan create and manage an Avere vFXT cluster.
Avere Operatorc025889f-8102-4ebf-b32c-fc0c6f0c6bd9Used by the Avere vFXT cluster to manage the cluster
Azure Connected Machine Onboardingb64e21ea-ac4e-4cdf-9dc9-5b892992bee7Can onboard Azure Connected Machines.
Azure Connected Machine Resource Administratorcd570a14-e51a-42ad-bac8-bafd67325302Can read, write, delete and re-onboard Azure Connected Machines.
Azure Event Hubs Data Ownerf526a384-b230-433a-b45c-95f59c4a2decAllows for full access to Azure Event Hubs resources.
Azure Event Hubs Data Receivera638d3c7-ab3a-418d-83e6-5f17a39d4fdeAllows receive access to Azure Event Hubs resources.
Azure Event Hubs Data Sender2b629674-e913-4c01-ae53-ef4638d8f975Allows send access to Azure Event Hubs resources.
Azure Kubernetes Service Cluster Admin Role0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8List cluster admin credential action.
Azure Kubernetes Service Cluster User Role4abbcc35-e782-43d8-92c5-2d3f1bd2253fList cluster user credential action.
Azure Kubernetes Service Contributor Roleed7f3fbd-7b88-4dd4-9017-9adb7ce333f8Grants access to read and write Azure Kubernetes Service clusters
Azure Maps Data Reader (Preview)423170ca-a8f6-4b0f-8487-9e4eb8f49bfaGrants access to read map related data from an Azure maps account.
Azure Sentinel Contributorab8e14d6-4a74-4a29-9ba8-549422addadeAzure Sentinel Contributor
Azure Sentinel Reader8d289c81-5878-46d4-8554-54e1e3d8b5cbAzure Sentinel Reader
Azure Sentinel Responder3e150937-b8fe-4cfb-8069-0eaf05ecd056Azure Sentinel Responder
Azure Service Bus Data Owner090c5cfd-751d-490a-894a-3ce6f1109419Allows for full access to Azure Service Bus resources.
Azure Service Bus Data Receiver4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0Allows for receive access to Azure Service Bus resources.
Azure Service Bus Data Sender69a216fc-b8fb-44d8-bc22-1f3c2cd27a39Allows for send access to Azure Service Bus resources.
Azure Stack Registration Owner6f12a6df-dd06-4f3e-bcb1-ce8be600526aLets you manage Azure Stack registrations.
Backup Contributor5e467623-bb1f-42f4-a55d-6e525e11384bLets you manage backup service,but can’t create vaults and give access to others
Backup Operator00c29273-979b-4161-815c-10b084fb9324Lets you manage backup services, except removal of backup, vault creation and giving …
Backup Readera795c7a0-d4a2-40c1-ae25-d81f01202912Can view backup services, but can’t make changes
Billing Readerfa23ad8b-c56e-40d8-ac0c-ce449e1d2c64Allows read access to billing data
BizTalk Contributor5e3c6656-6cfa-4708-81fe-0de47ac73342Lets you manage BizTalk services, but not access to them.
Blockchain Member Node Access (Preview)31a002a1-acaf-453e-8a5b-297c9ca1ea24Allows for access to Blockchain Member nodes
Blueprint Contributor41077137-e803-4205-871c-5a86e6a753b4Can manage blueprint definitions, but not assign them.
Blueprint Operator437d2ced-4a38-4302-8479-ed2bcb43d090Can assign existing published blueprints, but cannot create new blueprints. NOTE: thi…
CDN Endpoint Contributor426e0c7f-0c7e-4658-b36f-ff54d6c29b45Can manage CDN endpoints, but can’t grant access to other users.
CDN Endpoint Reader871e35f6-b5c1-49cc-a043-bde969a0f2cdCan view CDN endpoints, but can’t make changes.
CDN Profile Contributorec156ff8-a8d1-4d15-830c-5b80698ca432Can manage CDN profiles and their endpoints, but can’t grant access to other users.
CDN Profile Reader8f96442b-4075-438f-813d-ad51ab4019afCan view CDN profiles and their endpoints, but can’t make changes.
Classic Network Contributorb34d265f-36f7-4a0d-a4d4-e158ca92e90fLets you manage classic networks, but not access to them.
Classic Storage Account Contributor86e8f5dc-a6e9-4c67-9d15-de283e8eac25Lets you manage classic storage accounts, but not access to them.
Classic Storage Account Key Operator Service Role985d6b00-f706-48f5-a6fe-d0ca12fb668dClassic Storage Account Key Operators are allowed to list and regenerate keys on Clas…
Classic Virtual Machine Contributord73bb868-a0df-4d4d-bd69-98a00b01fccbLets you manage classic virtual machines, but not access to them, and not the virtual…
ClearDB MySQL DB Contributor9106cda0-8a86-4e81-b686-29a22c54effeLets you manage ClearDB MySQL databases, but not access to them.
Cognitive Services Contributor25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68Lets you create, read, update, delete and manage keys of Cognitive Services.
Cognitive Services Data Reader (Preview)b59867f0-fa02-499b-be73-45a86b5b3e1cLets you read Cognitive Services data.
Cognitive Services Usera97b65f3-24c7-4388-baec-2e87135dc908Lets you read and list keys of Cognitive Services.
Contributorb24988ac-6180-42a0-ab88-20f7382dd24cLets you manage everything except access to resources.
Cosmos DB Account Reader Rolefbdf93bf-df7d-467e-a4d2-9458aa1360c8Can read Azure Cosmos DB Accounts data
Cosmos DB Operator230815da-be43-4aae-9cb4-875f7bd000aaLets you manage Azure Cosmos DB accounts, but not access data in them. Prevents acces…
CosmosBackupOperatordb7b14f2-5adf-42da-9f96-f2ee17bab5cbCan submit restore request for a Cosmos DB database or a container for an account
Cost Management Contributor434105ed-43f6-45c7-a02f-909b2ba83430Can view costs and manage cost configuration (e.g. budgets, exports)
Cost Management Reader72fafb9e-0641-4937-9268-a91bfd8191a3Can view cost data and configuration (e.g. budgets, exports)
Data Box Contributoradd466c9-e687-43fc-8d98-dfcf8d720be5Lets you manage everything under Data Box Service except giving access to others.
Data Box Reader028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027Lets you manage Data Box Service except creating order or editing order details and g…
Data Factory Contributor673868aa-7521-48a0-acc6-0f60742d39f5Create and manage data factories, as well as child resources within them.
Data Lake Analytics Developer47b7735b-770e-4598-a7da-8b91488b4c88Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake…
Data Purger150f5e0c-0603-4f03-8c7f-cf70034c4e90Can purge analytics data
Desktop Virtualization User1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63Allows user to use the applications in an application group.
DevTest Labs User76283e04-6283-4c54-8f91-bcf1374a3c64Lets you connect, start, restart, and shutdown your virtual machines in your Azure De…
DNS Zone Contributorbefefa01-2a29-4197-83a8-272ff33ce314Lets you manage DNS zones and record sets in Azure DNS, but does not let you control …
DocumentDB Account Contributor5bd9cd88-fe45-4216-938b-f97437e15450Lets you manage DocumentDB accounts, but not access to them.
EventGrid EventSubscription Contributor428e0ff0-5e57-4d9c-a221-2c70d0e0a443Lets you manage EventGrid event subscription operations.
EventGrid EventSubscription Reader2414bbcf-6497-4faf-8c65-045460748405Lets you read EventGrid event subscriptions.
Experimentation Administrator7f646f1b-fa08-80eb-a33b-edd6ce5c915cExperimentation Administrator
Experimentation Contributor7f646f1b-fa08-80eb-a22b-edd6ce5c915cExperimentation Contributor
Graph Ownerb60367af-1334-4454-b71e-769d9a4f83d9Create and manage all aspects of the Enterprise Graph – Ontology, Schema mapping, Con…
HDInsight Cluster Operator61ed4efc-fab3-44fd-b111-e24485cc132aLets you read and modify HDInsight cluster configurations.
HDInsight Domain Services Contributor8d8d5a11-05d3-4bda-a417-a08778121c7cCan Read, Create, Modify and Delete Domain Services related operations needed for HDI…
Hybrid Server Onboarding5d1e5ee4-7c68-4a71-ac8b-0739630a3dfbCan onboard new Hybrid servers to the Hybrid Resource Provider.
Hybrid Server Resource Administrator48b40c6e-82e0-4eb3-90d5-19e40f49b624Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider.
Integration Service Environment Contributora41e2c5b-bd99-4a07-88f4-9bf657a760b8Lets you manage integration service environments, but not access to them.
Integration Service Environment Developerc7aa55d3-1abb-444a-a5ca-5e51e485d6ecAllows developers to create and update workflows, integration accounts and API connec…
Intelligent Systems Account Contributor03a6d094-3444-4b3d-88af-7477090a9e5eLets you manage Intelligent Systems accounts, but not access to them.
Key Vault Contributorf25e0fa2-a7c8-4377-a976-54943a77a395Lets you manage key vaults, but not access to them.
Knowledge Consumeree361c5d-f7b5-4119-b4b6-892157c8f64cKnowledge Read permission to consume Enterprise Graph Knowledge using entity search a…
Kubernetes Cluster – Azure Arc Onboarding34e09817-6cbe-4d01-b1a2-e0eac5743d41Role definition to authorize any user/service to create connectedClusters resource
Lab Creatorb97fb8bc-a8b2-4522-a38b-dd33c7e65eadLets you create, manage, delete your managed labs under your Azure Lab Accounts.
Log Analytics Contributor92aaf0da-9dab-42b6-94a3-d43ce8d16293Log Analytics Contributor can read all monitoring data and edit monitoring settings. …
Log Analytics Reader73c42c96-874c-492b-b04d-ab87d138a893Log Analytics Reader can view and search all monitoring data as well as and view moni…
Logic App Contributor87a39d53-fc1b-424a-814c-f7e04687dc9eLets you manage logic app, but not access to them.
Logic App Operator515c2055-d9d4-4321-b1b9-bd0c9a0f79feLets you read, enable and disable logic app.
Managed Application Contributor Role641177b8-a67a-45b9-a033-47bc880bb21eAllows for creating managed application resources.
Managed Application Operator Rolec7393b34-138c-406f-901b-d8cf2b17e6aeLets you read and perform actions on Managed Application resources
Managed Applications Readerb9331d33-8a36-4f8c-b097-4f54124fdb44Lets you read resources in a managed app and request JIT access.
Managed Identity Contributore40ec5ca-96e0-45a2-b4ff-59039f2c2b59Create, Read, Update, and Delete User Assigned Identity
Managed Identity Operatorf1a07417-d97a-45cb-824c-7a7467783830Read and Assign User Assigned Identity
Managed Services Registration assignment Delete Role91c1777a-f3dc-4fae-b103-61d183457e46Managed Services Registration Assignment Delete Role allows the managing tenant users…
Management Group Contributor5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4cManagement Group Contributor Role
Management Group Readerac63b705-f282-497d-ac71-919bf39d939dManagement Group Reader Role
Marketplace Admindd920d6d-f481-47f1-b461-f338c46b2d9fAdministrator of marketplace resource provider
Monitoring Contributor749f88d5-cbae-40b8-bcfc-e573ddc772faCan read all monitoring data and update monitoring settings.
Monitoring Metrics Publisher3913510d-42f4-4e42-8a64-420c390055ebEnables publishing metrics against Azure resources
Monitoring Reader43d0d8ad-25c7-4714-9337-8ba259a9fe05Can read all monitoring data.
Network Contributor4d97b98b-1d4f-4787-a291-c67834d212e7Lets you manage networks, but not access to them.
New Relic APM Account Contributor5d28c62d-5b37-4476-8438-e587778df237Lets you manage New Relic Application Performance Management accounts and application…
Owner8e3af657-a8ff-443c-a75c-2fe8c4bcb635Lets you manage everything, including access to resources.
Policy Insights Data Writer (Preview)66bb4e9e-b016-4a94-8249-4c0511c2be84Allows read access to resource policies and write access to resource component policy…
Private DNS Zone Contributorb12aa53e-6015-4669-85d0-8515ebb3ae7fLets you manage private DNS zone resources, but not the virtual networks they are lin…
QnA Maker Editorf4cc2bf9-21be-47a1-bdf1-5c5804381025
QnA Maker Reader466ccd10-b268-4a11-b098-b4849f024126
Readeracdd72a7-3385-48ef-bd42-f606fba81ae7Lets you view everything, but not make any changes.
Reader and Data Accessc12c1c16-33a1-487b-954d-41c89c60f349Lets you view everything but will not let you delete or create a storage account or c…
Redis Cache Contributore0f68234-74aa-48ed-b826-c38b57376e17Lets you manage Redis caches, but not access to them.
Remote Rendering Administrator3df8b902-2a6f-47c7-8cc5-360e9b272a7eProvides user with conversion, manage session, rendering and diagnostics capabilities…
Remote Rendering Clientd39065c4-c120-43c9-ab0a-63eed9795f0aProvides user with manage session, rendering and diagnostics capabilities for Azure R…
Resource Policy Contributor36243c78-bf99-498c-9df9-86d9f8d28608Users with rights to create/modify resource policy, create support ticket and read re…
Scheduler Job Collections Contributor188a0f2f-5c9e-469b-ae67-2aa5ce574b94Lets you manage Scheduler job collections, but not access to them.
Search Service Contributor7ca78c08-252a-4471-8644-bb5ff32d4ba0Lets you manage Search services, but not access to them.
Security Adminfb1c8493-542b-48eb-b624-b4c8fea62acdSecurity Admin Role
Security Assessment Contributor612c2aa1-cb24-443b-ac28-3ab7272de6f5Lets you push assessments to Security Center
Security Manager (Legacy)e3d13bf0-dd5a-482e-ba6b-9b8433878d10This is a legacy role. Please use Security Administrator instead
Security Reader39bc4728-0917-49c7-9d2c-d95423bc2eb4Security Reader Role
SignalR AccessKey Reader04165923-9d83-45d5-8227-78b77b0a687eRead SignalR Service Access Keys
SignalR Contributor8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761Create, Read, Update, and Delete SignalR service resources
Site Recovery Contributor6670b86e-a3f7-4917-ac9b-5d6ab1be4567Lets you manage Site Recovery service except vault creation and role assignment
Site Recovery Operator494ae006-db33-4328-bf46-533a6560a3caLets you failover and failback but not perform other Site Recovery management operations
Site Recovery Readerdbaa88c4-0c30-4179-9fb3-46319faa6149Lets you view Site Recovery status but not perform other management operations
Spatial Anchors Account Contributor8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827Lets you manage spatial anchors in your account, but not delete them
Spatial Anchors Account Owner70bbe301-9835-447d-afdd-19eb3167307cLets you manage spatial anchors in your account, including deleting them
Spatial Anchors Account Reader5d51204f-eb77-4b1c-b86a-2ec626c49413Lets you locate and read properties of spatial anchors in your account
SQL DB Contributor9b7fa17d-e63e-47b0-bb0a-15c516ac86ecLets you manage SQL databases, but not access to them. Also, you can’t manage their s…
SQL Managed Instance Contributor4939a1f6-9ae0-4e48-a1e0-f2cbe897382dLets you manage SQL Managed Instances and required network configuration, but can’t g…
SQL Security Manager056cd41c-7e88-42e1-933e-88ba6a50c9c3Lets you manage the security-related policies of SQL servers and databases, but not a…
SQL Server Contributor6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437Lets you manage SQL servers and databases, but not access to them, and not their secu…
Storage Account Contributor17d1049b-9a84-46fb-8f53-869881c3d3abLets you manage storage accounts, including accessing storage account keys which prov…
Storage Account Key Operator Service Role81a9662b-bebf-436f-a333-f67b29880f12Storage Account Key Operators are allowed to list and regenerate keys on Storage Acco…
Storage Blob Data Contributorba92f5b4-2d11-453d-a403-e96b0029c9feAllows for read, write and delete access to Azure Storage blob containers and data
Storage Blob Data Ownerb7e6dc6d-f1e8-4753-8033-0f276bb0955bAllows for full access to Azure Storage blob containers and data, including assigning…
Storage Blob Data Reader2a2b9908-6ea1-4ae2-8e65-a410df84e7d1Allows for read access to Azure Storage blob containers and data
Storage Blob Delegatordb58b8e5-c6ad-4a2a-8342-4190687cbf4aAllows for generation of a user delegation key which can be used to sign SAS tokens
Storage File Data SMB Share Contributor0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bbAllows for read, write, and delete access in Azure Storage file shares over SMB
Storage File Data SMB Share Elevated Contributora7264617-510b-434b-a828-9731dc254ea7Allows for read, write, delete and modify NTFS permission access in Azure Storage fil…
Storage File Data SMB Share Readeraba4ae5f-2193-4029-9191-0cb91df5e314Allows for read access to Azure File Share over SMB
Storage Queue Data Contributor974c5e8b-45b9-4653-ba55-5f855dd0fb88Allows for read, write, and delete access to Azure Storage queues and queue messages
Storage Queue Data Message Processor8a0f0c08-91a1-4084-bc3d-661d67233fedAllows for peek, receive, and delete access to Azure Storage queue messages
Storage Queue Data Message Senderc6a89b2d-59bc-44d0-9896-0f6e12d7b80aAllows for sending of Azure Storage queue messages
Storage Queue Data Reader19e7f393-937e-4f77-808e-94535e297925Allows for read access to Azure Storage queues and queue messages
Support Request Contributorcfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24eLets you create and manage Support requests
Tag Contributor4a9ae827-6dc8-4573-8ac7-8239d42aa03fLets you manage tags on entities, without providing access to the entities themselves.
Traffic Manager Contributora4b10055-b0c7-44c2-b00f-c7b5b3550cf7Lets you manage Traffic Manager profiles, but does not let you control who has access…
User Access Administrator18d7d88d-d35e-4fb5-a5c3-7773c20a72d9Lets you manage user access to Azure resources.
Virtual Machine Administrator Login1c0163c0-47e6-4577-8991-ea5c82e286e4View Virtual Machines in the portal and login as administrator
Virtual Machine Contributor9980e02c-c2be-4d73-94e8-173b1dc7cf3cLets you manage virtual machines, but not access to them, and not the virtual network…
Virtual Machine User Loginfb879df8-f326-4884-b1cf-06f3ad86be52View Virtual Machines in the portal and login as a regular user.
Web Plan Contributor2cc479cb-7b4d-49a8-b449-8c00fd0f0a4bLets you manage the web plans for websites, but not access to them.
Website Contributorde139f84-1756-47ae-9be6-808fbbe84772Lets you manage websites (not web plans), but not access to them.
Workbook Contributore8ddcd69-c73f-4f9f-9844-4100522f16adCan save shared workbooks.
Workbook Readerb279062a-9be3-42a0-92ae-8b3cf002ec4dCan read workbooks.

As you see, there are quite a few roles available and as we saw earlier, peeking into the Azure Portal, each one of the roles potentially have an extensive list of permissions set against a number of resource providers.

List All Permissions for a Specific RBAC Role

We previously looked at the permissions of the “Virtual Machine Contributor” role in the Azure Portal. Let’s see what that looks like using PowerShell.

Use the following script to list the permissions included in the “Virtual Machine Contributor” role:

(Get-AzureRmRoleDefinition -Name "Virtual Machine Contributor").Actions

The output is going to look something like this:

PS C:\> (Get-AzureRmRoleDefinition -Name "Virtual Machine Contributor").Actions
Microsoft.Authorization/*/read
Microsoft.Compute/availabilitySets/*
Microsoft.Compute/locations/*
Microsoft.Compute/virtualMachines/*
Microsoft.Compute/virtualMachineScaleSets/*
Microsoft.Compute/disks/write
Microsoft.Compute/disks/read
Microsoft.Compute/disks/delete
Microsoft.DevTestLab/schedules/*
Microsoft.Insights/alertRules/*
Microsoft.Network/applicationGateways/backendAddressPools/join/action
Microsoft.Network/loadBalancers/backendAddressPools/join/action
Microsoft.Network/loadBalancers/inboundNatPools/join/action
Microsoft.Network/loadBalancers/inboundNatRules/join/action
Microsoft.Network/loadBalancers/probes/join/action
Microsoft.Network/loadBalancers/read
Microsoft.Network/locations/*
Microsoft.Network/networkInterfaces/*
Microsoft.Network/networkSecurityGroups/join/action
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/publicIPAddresses/join/action
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.RecoveryServices/locations/*
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write
Microsoft.RecoveryServices/Vaults/backupPolicies/read
Microsoft.RecoveryServices/Vaults/backupPolicies/write
Microsoft.RecoveryServices/Vaults/read
Microsoft.RecoveryServices/Vaults/usages/read
Microsoft.RecoveryServices/Vaults/write
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.SqlVirtualMachine/*
Microsoft.Storage/storageAccounts/listKeys/action
Microsoft.Storage/storageAccounts/read
Microsoft.Support/*

As you can see the permissions typically denote a resource name path (eg. “Microsoft.Network/virtualNetworks”) and a type of permission (e.g. “read”).

List All Users With a Specific RBAC Role

To list all users assigned with a specific RBAC role use the following PowerShell command:

Get-AzureRmRoleAssignment | ? {$_.RoleDefinitionName -eq 'Virtual Machine Contributor'} | ft RoleDefinitionName,DisplayName

This command will generate output similar to the following:

RoleDefinitionName          DisplayName
------------------          -----------
Virtual Machine Contributor Tycho Brahe
Virtual Machine Contributor Ole Roemer

List All RBAC Roles For a Specific User

To view all RBAC roles assigned to an individual user (or other identity type), use the following PowerShell command:

Get-AzureRmRoleAssignment | ? {$_.DisplayName -eq 'Tycho Brahe'} | ft RoleDefinitionName,DisplayName

This command will generate output similar to the following:

RoleDefinitionName          DisplayName
------------------          -----------
SQL Server Contributor      Tycho Brahe
Virtual Machine Contributor Tycho Brahe

List All Assigned RBAC Roles For All Identities

To list all assigned RBAC roles use something like the following PowerShell command:

Get-AzureRmRoleAssignment | ft RoleDefinitionName,DisplayName

The output from that command may look similar to the following:

RoleDefinitionName          DisplayName
------------------          -----------
Virtual Machine Contributor Tycho Brahe
Virtual Machine Contributor Ole Roemer
SQL Server Contributor      Tycho Brahe

Summary

Hopefully this article gave you a good starting point for PowerShell’ing your way through Azure RBAC Roles. Starting from these basic building blocks I’m sure you’ll soon be able to blow your colleagues away with some nice scripts! 😉