Azure RBAC (Role-Based Access Control) roles allow you to make very detailed delegation of access to various Azure infrastructure components.
You can e.g. delegate the right to manage virtual networks in a particular resource group – or even a particular VPN.
For large organizations it makes very good sense to (only) delegate access to relevant parts of the infrastructure to specialized teams. Even smaller organizations can improve their security by limiting what accesses are given e.g. to trainees or external consultants.
This article will show you how to use PowerShell to
- List what RBAC roles exist
- List what permissions are included in a particular RBAC role
- List all users that have a particular RBAC role assigned
- List what RBAC roles a particular user is assigned
- List all RBAC roles that are assigned to an identity
But let’s start by visualizing the RBAC roles inside the Azure Portal.
Managing RBAC Roles Using the Azure Portal
To see what RBAC roles exist, what identities that have the role assigned and what permissions are included in the role, go to the Azure Portal. Select your subscription, click on Access Control (IAM) and click Roles to see a full list of RBAC roles:
If you click on any of the roles you’ll be able to see what identities currently have the role assigned:
Clicking Permissions will show you what resource providers includes permissions in this particular RBAC role:
And finally, clicking the individual resource providers will show you the details of the permissions available to identities assigned with this particular RBAC role:
As seen in the above screenshots the RBAC role model gives you very detailed control with delegation of rights to your Azure resources.
Managing RBAC Roles Using PowerShell
PowerShell is a nice way to automate repetitive tasks and ensure that things are done the same way every time. This will also benefit your RBAC role management so let’s dive in!
Connect to AzureRM Using PowerShell
To manage RBAC roles we’ll be using the Azure Resource Manager module for PowerShell. If this is first use, use the following script to install the module and connect to Azure Resource Manager:
# Install the Azure Resource Manager module if this is first use
Install-Module AzureRM
# Add the AzureRM module to the PowerShell session
Import-Module AzureRM
# Connect to Azure
Connect-AzureRmAccountThe following scripts will assume you already have established a connection with AzureRM.
List All RBAC Roles
To list all RBAC roles you can use the following command:
Get-AzureRmRoleDefinition | Sort-Object Name | ft Name,Id,DescriptionIf we format the output in a table you have a nice overview of the standard RBAC roles, their ID and a description:
Azure RM Roles
| Name | Id | Description |
|---|---|---|
| AcrDelete | c2f4ef07-c644-48eb-af81-4b1b4947fb11 | acr delete |
| AcrImageSigner | 6cef56e8-d556-48e5-a04f-b8e64114680f | acr image signer |
| AcrPull | 7f951dda-4ed3-4680-a7ca-43fe172d538d | acr pull |
| AcrPush | 8311e382-0749-4cb8-b61a-304f252e45ec | acr push |
| AcrQuarantineReader | cdda3590-29a3-44f6-95f2-9f980659eb04 | acr quarantine data reader |
| AcrQuarantineWriter | c8d4ff99-41c3-41a8-9f60-21dfdad59608 | acr quarantine data writer |
| API Management Service Contributor | 312a565d-c81f-4fd8-895a-4e21e48d571c | Can manage service and the APIs |
| API Management Service Operator Role | e022efe7-f5ba-4159-bbe4-b44f577e9b61 | Can manage service but not the APIs |
| API Management Service Reader Role | 71522526-b88f-4d52-b57f-d31fc3546d0d | Read-only access to service and APIs |
| App Configuration Data Owner | 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b | Allows full access to App Configuration data. |
| App Configuration Data Reader | 516239f1-63e1-4d78-a4de-a74fb236a071 | Allows read access to App Configuration data. |
| Application Insights Component Contributor | ae349356-3a1b-4a5e-921d-050484c6347e | Can manage Application Insights components |
| Application Insights Snapshot Debugger | 08954f03-6346-4c2e-81c0-ec3a5cfae23b | Gives user permission to use Application Insights Snapshot Debugger features |
| Attestation Contributor | bbf86eb8-f7b4-4cce-96e4-18cddf81d86e | Can read write or delete the attestation provider instance |
| Attestation Reader | fd1bd22b-8476-40bc-a0bc-69b95687b9f3 | Can read the attestation provider properties |
| Automation Job Operator | 4fe576fe-1146-4730-92eb-48519fa6bf9f | Create and Manage Jobs using Automation Runbooks. |
| Automation Operator | d3881f73-407a-4167-8283-e981cbba0404 | Automation Operators are able to start, stop, suspend, and resume jobs |
| Automation Runbook Operator | 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 | Read Runbook properties – to be able to create Jobs of the runbook. |
| Avere Contributor | 4f8fab4f-1852-4a58-a46a-8eaf358af14a | Can create and manage an Avere vFXT cluster. |
| Avere Operator | c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 | Used by the Avere vFXT cluster to manage the cluster |
| Azure Connected Machine Onboarding | b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 | Can onboard Azure Connected Machines. |
| Azure Connected Machine Resource Administrator | cd570a14-e51a-42ad-bac8-bafd67325302 | Can read, write, delete and re-onboard Azure Connected Machines. |
| Azure Event Hubs Data Owner | f526a384-b230-433a-b45c-95f59c4a2dec | Allows for full access to Azure Event Hubs resources. |
| Azure Event Hubs Data Receiver | a638d3c7-ab3a-418d-83e6-5f17a39d4fde | Allows receive access to Azure Event Hubs resources. |
| Azure Event Hubs Data Sender | 2b629674-e913-4c01-ae53-ef4638d8f975 | Allows send access to Azure Event Hubs resources. |
| Azure Kubernetes Service Cluster Admin Role | 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 | List cluster admin credential action. |
| Azure Kubernetes Service Cluster User Role | 4abbcc35-e782-43d8-92c5-2d3f1bd2253f | List cluster user credential action. |
| Azure Kubernetes Service Contributor Role | ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 | Grants access to read and write Azure Kubernetes Service clusters |
| Azure Maps Data Reader (Preview) | 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa | Grants access to read map related data from an Azure maps account. |
| Azure Sentinel Contributor | ab8e14d6-4a74-4a29-9ba8-549422addade | Azure Sentinel Contributor |
| Azure Sentinel Reader | 8d289c81-5878-46d4-8554-54e1e3d8b5cb | Azure Sentinel Reader |
| Azure Sentinel Responder | 3e150937-b8fe-4cfb-8069-0eaf05ecd056 | Azure Sentinel Responder |
| Azure Service Bus Data Owner | 090c5cfd-751d-490a-894a-3ce6f1109419 | Allows for full access to Azure Service Bus resources. |
| Azure Service Bus Data Receiver | 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 | Allows for receive access to Azure Service Bus resources. |
| Azure Service Bus Data Sender | 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 | Allows for send access to Azure Service Bus resources. |
| Azure Stack Registration Owner | 6f12a6df-dd06-4f3e-bcb1-ce8be600526a | Lets you manage Azure Stack registrations. |
| Backup Contributor | 5e467623-bb1f-42f4-a55d-6e525e11384b | Lets you manage backup service,but can’t create vaults and give access to others |
| Backup Operator | 00c29273-979b-4161-815c-10b084fb9324 | Lets you manage backup services, except removal of backup, vault creation and giving … |
| Backup Reader | a795c7a0-d4a2-40c1-ae25-d81f01202912 | Can view backup services, but can’t make changes |
| Billing Reader | fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 | Allows read access to billing data |
| BizTalk Contributor | 5e3c6656-6cfa-4708-81fe-0de47ac73342 | Lets you manage BizTalk services, but not access to them. |
| Blockchain Member Node Access (Preview) | 31a002a1-acaf-453e-8a5b-297c9ca1ea24 | Allows for access to Blockchain Member nodes |
| Blueprint Contributor | 41077137-e803-4205-871c-5a86e6a753b4 | Can manage blueprint definitions, but not assign them. |
| Blueprint Operator | 437d2ced-4a38-4302-8479-ed2bcb43d090 | Can assign existing published blueprints, but cannot create new blueprints. NOTE: thi… |
| CDN Endpoint Contributor | 426e0c7f-0c7e-4658-b36f-ff54d6c29b45 | Can manage CDN endpoints, but cant grant access to other users. |
| CDN Endpoint Reader | 871e35f6-b5c1-49cc-a043-bde969a0f2cd | Can view CDN endpoints, but cant make changes. |
| CDN Profile Contributor | ec156ff8-a8d1-4d15-830c-5b80698ca432 | Can manage CDN profiles and their endpoints, but cant grant access to other users. |
| CDN Profile Reader | 8f96442b-4075-438f-813d-ad51ab4019af | Can view CDN profiles and their endpoints, but cant make changes. |
| Classic Network Contributor | b34d265f-36f7-4a0d-a4d4-e158ca92e90f | Lets you manage classic networks, but not access to them. |
| Classic Storage Account Contributor | 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 | Lets you manage classic storage accounts, but not access to them. |
| Classic Storage Account Key Operator Service Role | 985d6b00-f706-48f5-a6fe-d0ca12fb668d | Classic Storage Account Key Operators are allowed to list and regenerate keys on Clas… |
| Classic Virtual Machine Contributor | d73bb868-a0df-4d4d-bd69-98a00b01fccb | Lets you manage classic virtual machines, but not access to them, and not the virtual… |
| ClearDB MySQL DB Contributor | 9106cda0-8a86-4e81-b686-29a22c54effe | Lets you manage ClearDB MySQL databases, but not access to them. |
| Cognitive Services Contributor | 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 | Lets you create, read, update, delete and manage keys of Cognitive Services. |
| Cognitive Services Data Reader (Preview) | b59867f0-fa02-499b-be73-45a86b5b3e1c | Lets you read Cognitive Services data. |
| Cognitive Services User | a97b65f3-24c7-4388-baec-2e87135dc908 | Lets you read and list keys of Cognitive Services. |
| Contributor | b24988ac-6180-42a0-ab88-20f7382dd24c | Lets you manage everything except access to resources. |
| Cosmos DB Account Reader Role | fbdf93bf-df7d-467e-a4d2-9458aa1360c8 | Can read Azure Cosmos DB Accounts data |
| Cosmos DB Operator | 230815da-be43-4aae-9cb4-875f7bd000aa | Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents acces… |
| CosmosBackupOperator | db7b14f2-5adf-42da-9f96-f2ee17bab5cb | Can submit restore request for a Cosmos DB database or a container for an account |
| Cost Management Contributor | 434105ed-43f6-45c7-a02f-909b2ba83430 | Can view costs and manage cost configuration (e.g. budgets, exports) |
| Cost Management Reader | 72fafb9e-0641-4937-9268-a91bfd8191a3 | Can view cost data and configuration (e.g. budgets, exports) |
| Data Box Contributor | add466c9-e687-43fc-8d98-dfcf8d720be5 | Lets you manage everything under Data Box Service except giving access to others. |
| Data Box Reader | 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 | Lets you manage Data Box Service except creating order or editing order details and g… |
| Data Factory Contributor | 673868aa-7521-48a0-acc6-0f60742d39f5 | Create and manage data factories, as well as child resources within them. |
| Data Lake Analytics Developer | 47b7735b-770e-4598-a7da-8b91488b4c88 | Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake… |
| Data Purger | 150f5e0c-0603-4f03-8c7f-cf70034c4e90 | Can purge analytics data |
| Desktop Virtualization User | 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 | Allows user to use the applications in an application group. |
| DevTest Labs User | 76283e04-6283-4c54-8f91-bcf1374a3c64 | Lets you connect, start, restart, and shutdown your virtual machines in your Azure De… |
| DNS Zone Contributor | befefa01-2a29-4197-83a8-272ff33ce314 | Lets you manage DNS zones and record sets in Azure DNS, but does not let you control … |
| DocumentDB Account Contributor | 5bd9cd88-fe45-4216-938b-f97437e15450 | Lets you manage DocumentDB accounts, but not access to them. |
| EventGrid EventSubscription Contributor | 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 | Lets you manage EventGrid event subscription operations. |
| EventGrid EventSubscription Reader | 2414bbcf-6497-4faf-8c65-045460748405 | Lets you read EventGrid event subscriptions. |
| Experimentation Administrator | 7f646f1b-fa08-80eb-a33b-edd6ce5c915c | Experimentation Administrator |
| Experimentation Contributor | 7f646f1b-fa08-80eb-a22b-edd6ce5c915c | Experimentation Contributor |
| Graph Owner | b60367af-1334-4454-b71e-769d9a4f83d9 | Create and manage all aspects of the Enterprise Graph – Ontology, Schema mapping, Con… |
| HDInsight Cluster Operator | 61ed4efc-fab3-44fd-b111-e24485cc132a | Lets you read and modify HDInsight cluster configurations. |
| HDInsight Domain Services Contributor | 8d8d5a11-05d3-4bda-a417-a08778121c7c | Can Read, Create, Modify and Delete Domain Services related operations needed for HDI… |
| Hybrid Server Onboarding | 5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb | Can onboard new Hybrid servers to the Hybrid Resource Provider. |
| Hybrid Server Resource Administrator | 48b40c6e-82e0-4eb3-90d5-19e40f49b624 | Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider. |
| Integration Service Environment Contributor | a41e2c5b-bd99-4a07-88f4-9bf657a760b8 | Lets you manage integration service environments, but not access to them. |
| Integration Service Environment Developer | c7aa55d3-1abb-444a-a5ca-5e51e485d6ec | Allows developers to create and update workflows, integration accounts and API connec… |
| Intelligent Systems Account Contributor | 03a6d094-3444-4b3d-88af-7477090a9e5e | Lets you manage Intelligent Systems accounts, but not access to them. |
| Key Vault Contributor | f25e0fa2-a7c8-4377-a976-54943a77a395 | Lets you manage key vaults, but not access to them. |
| Knowledge Consumer | ee361c5d-f7b5-4119-b4b6-892157c8f64c | Knowledge Read permission to consume Enterprise Graph Knowledge using entity search a… |
| Kubernetes Cluster – Azure Arc Onboarding | 34e09817-6cbe-4d01-b1a2-e0eac5743d41 | Role definition to authorize any user/service to create connectedClusters resource |
| Lab Creator | b97fb8bc-a8b2-4522-a38b-dd33c7e65ead | Lets you create, manage, delete your managed labs under your Azure Lab Accounts. |
| Log Analytics Contributor | 92aaf0da-9dab-42b6-94a3-d43ce8d16293 | Log Analytics Contributor can read all monitoring data and edit monitoring settings. … |
| Log Analytics Reader | 73c42c96-874c-492b-b04d-ab87d138a893 | Log Analytics Reader can view and search all monitoring data as well as and view moni… |
| Logic App Contributor | 87a39d53-fc1b-424a-814c-f7e04687dc9e | Lets you manage logic app, but not access to them. |
| Logic App Operator | 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe | Lets you read, enable and disable logic app. |
| Managed Application Contributor Role | 641177b8-a67a-45b9-a033-47bc880bb21e | Allows for creating managed application resources. |
| Managed Application Operator Role | c7393b34-138c-406f-901b-d8cf2b17e6ae | Lets you read and perform actions on Managed Application resources |
| Managed Applications Reader | b9331d33-8a36-4f8c-b097-4f54124fdb44 | Lets you read resources in a managed app and request JIT access. |
| Managed Identity Contributor | e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 | Create, Read, Update, and Delete User Assigned Identity |
| Managed Identity Operator | f1a07417-d97a-45cb-824c-7a7467783830 | Read and Assign User Assigned Identity |
| Managed Services Registration assignment Delete Role | 91c1777a-f3dc-4fae-b103-61d183457e46 | Managed Services Registration Assignment Delete Role allows the managing tenant users… |
| Management Group Contributor | 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c | Management Group Contributor Role |
| Management Group Reader | ac63b705-f282-497d-ac71-919bf39d939d | Management Group Reader Role |
| Marketplace Admin | dd920d6d-f481-47f1-b461-f338c46b2d9f | Administrator of marketplace resource provider |
| Monitoring Contributor | 749f88d5-cbae-40b8-bcfc-e573ddc772fa | Can read all monitoring data and update monitoring settings. |
| Monitoring Metrics Publisher | 3913510d-42f4-4e42-8a64-420c390055eb | Enables publishing metrics against Azure resources |
| Monitoring Reader | 43d0d8ad-25c7-4714-9337-8ba259a9fe05 | Can read all monitoring data. |
| Network Contributor | 4d97b98b-1d4f-4787-a291-c67834d212e7 | Lets you manage networks, but not access to them. |
| New Relic APM Account Contributor | 5d28c62d-5b37-4476-8438-e587778df237 | Lets you manage New Relic Application Performance Management accounts and application… |
| Owner | 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 | Lets you manage everything, including access to resources. |
| Policy Insights Data Writer (Preview) | 66bb4e9e-b016-4a94-8249-4c0511c2be84 | Allows read access to resource policies and write access to resource component policy… |
| Private DNS Zone Contributor | b12aa53e-6015-4669-85d0-8515ebb3ae7f | Lets you manage private DNS zone resources, but not the virtual networks they are lin… |
| QnA Maker Editor | f4cc2bf9-21be-47a1-bdf1-5c5804381025 | |
| QnA Maker Reader | 466ccd10-b268-4a11-b098-b4849f024126 | |
| Reader | acdd72a7-3385-48ef-bd42-f606fba81ae7 | Lets you view everything, but not make any changes. |
| Reader and Data Access | c12c1c16-33a1-487b-954d-41c89c60f349 | Lets you view everything but will not let you delete or create a storage account or c… |
| Redis Cache Contributor | e0f68234-74aa-48ed-b826-c38b57376e17 | Lets you manage Redis caches, but not access to them. |
| Remote Rendering Administrator | 3df8b902-2a6f-47c7-8cc5-360e9b272a7e | Provides user with conversion, manage session, rendering and diagnostics capabilities… |
| Remote Rendering Client | d39065c4-c120-43c9-ab0a-63eed9795f0a | Provides user with manage session, rendering and diagnostics capabilities for Azure R… |
| Resource Policy Contributor | 36243c78-bf99-498c-9df9-86d9f8d28608 | Users with rights to create/modify resource policy, create support ticket and read re… |
| Scheduler Job Collections Contributor | 188a0f2f-5c9e-469b-ae67-2aa5ce574b94 | Lets you manage Scheduler job collections, but not access to them. |
| Search Service Contributor | 7ca78c08-252a-4471-8644-bb5ff32d4ba0 | Lets you manage Search services, but not access to them. |
| Security Admin | fb1c8493-542b-48eb-b624-b4c8fea62acd | Security Admin Role |
| Security Assessment Contributor | 612c2aa1-cb24-443b-ac28-3ab7272de6f5 | Lets you push assessments to Security Center |
| Security Manager (Legacy) | e3d13bf0-dd5a-482e-ba6b-9b8433878d10 | This is a legacy role. Please use Security Administrator instead |
| Security Reader | 39bc4728-0917-49c7-9d2c-d95423bc2eb4 | Security Reader Role |
| SignalR AccessKey Reader | 04165923-9d83-45d5-8227-78b77b0a687e | Read SignalR Service Access Keys |
| SignalR Contributor | 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 | Create, Read, Update, and Delete SignalR service resources |
| Site Recovery Contributor | 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 | Lets you manage Site Recovery service except vault creation and role assignment |
| Site Recovery Operator | 494ae006-db33-4328-bf46-533a6560a3ca | Lets you failover and failback but not perform other Site Recovery management operations |
| Site Recovery Reader | dbaa88c4-0c30-4179-9fb3-46319faa6149 | Lets you view Site Recovery status but not perform other management operations |
| Spatial Anchors Account Contributor | 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 | Lets you manage spatial anchors in your account, but not delete them |
| Spatial Anchors Account Owner | 70bbe301-9835-447d-afdd-19eb3167307c | Lets you manage spatial anchors in your account, including deleting them |
| Spatial Anchors Account Reader | 5d51204f-eb77-4b1c-b86a-2ec626c49413 | Lets you locate and read properties of spatial anchors in your account |
| SQL DB Contributor | 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec | Lets you manage SQL databases, but not access to them. Also, you can’t manage their s… |
| SQL Managed Instance Contributor | 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d | Lets you manage SQL Managed Instances and required network configuration, but cant g… |
| SQL Security Manager | 056cd41c-7e88-42e1-933e-88ba6a50c9c3 | Lets you manage the security-related policies of SQL servers and databases, but not a… |
| SQL Server Contributor | 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 | Lets you manage SQL servers and databases, but not access to them, and not their secu… |
| Storage Account Contributor | 17d1049b-9a84-46fb-8f53-869881c3d3ab | Lets you manage storage accounts, including accessing storage account keys which prov… |
| Storage Account Key Operator Service Role | 81a9662b-bebf-436f-a333-f67b29880f12 | Storage Account Key Operators are allowed to list and regenerate keys on Storage Acco… |
| Storage Blob Data Contributor | ba92f5b4-2d11-453d-a403-e96b0029c9fe | Allows for read, write and delete access to Azure Storage blob containers and data |
| Storage Blob Data Owner | b7e6dc6d-f1e8-4753-8033-0f276bb0955b | Allows for full access to Azure Storage blob containers and data, including assigning… |
| Storage Blob Data Reader | 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 | Allows for read access to Azure Storage blob containers and data |
| Storage Blob Delegator | db58b8e5-c6ad-4a2a-8342-4190687cbf4a | Allows for generation of a user delegation key which can be used to sign SAS tokens |
| Storage File Data SMB Share Contributor | 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb | Allows for read, write, and delete access in Azure Storage file shares over SMB |
| Storage File Data SMB Share Elevated Contributor | a7264617-510b-434b-a828-9731dc254ea7 | Allows for read, write, delete and modify NTFS permission access in Azure Storage fil… |
| Storage File Data SMB Share Reader | aba4ae5f-2193-4029-9191-0cb91df5e314 | Allows for read access to Azure File Share over SMB |
| Storage Queue Data Contributor | 974c5e8b-45b9-4653-ba55-5f855dd0fb88 | Allows for read, write, and delete access to Azure Storage queues and queue messages |
| Storage Queue Data Message Processor | 8a0f0c08-91a1-4084-bc3d-661d67233fed | Allows for peek, receive, and delete access to Azure Storage queue messages |
| Storage Queue Data Message Sender | c6a89b2d-59bc-44d0-9896-0f6e12d7b80a | Allows for sending of Azure Storage queue messages |
| Storage Queue Data Reader | 19e7f393-937e-4f77-808e-94535e297925 | Allows for read access to Azure Storage queues and queue messages |
| Support Request Contributor | cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e | Lets you create and manage Support requests |
| Tag Contributor | 4a9ae827-6dc8-4573-8ac7-8239d42aa03f | Lets you manage tags on entities, without providing access to the entities themselves. |
| Traffic Manager Contributor | a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 | Lets you manage Traffic Manager profiles, but does not let you control who has access… |
| User Access Administrator | 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 | Lets you manage user access to Azure resources. |
| Virtual Machine Administrator Login | 1c0163c0-47e6-4577-8991-ea5c82e286e4 | View Virtual Machines in the portal and login as administrator |
| Virtual Machine Contributor | 9980e02c-c2be-4d73-94e8-173b1dc7cf3c | Lets you manage virtual machines, but not access to them, and not the virtual network… |
| Virtual Machine User Login | fb879df8-f326-4884-b1cf-06f3ad86be52 | View Virtual Machines in the portal and login as a regular user. |
| Web Plan Contributor | 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b | Lets you manage the web plans for websites, but not access to them. |
| Website Contributor | de139f84-1756-47ae-9be6-808fbbe84772 | Lets you manage websites (not web plans), but not access to them. |
| Workbook Contributor | e8ddcd69-c73f-4f9f-9844-4100522f16ad | Can save shared workbooks. |
| Workbook Reader | b279062a-9be3-42a0-92ae-8b3cf002ec4d | Can read workbooks. |
As you see, there are quite a few roles available and as we saw earlier, peeking into the Azure Portal, each one of the roles potentially have an extensive list of permissions set against a number of resource providers.
List All Permissions for a Specific RBAC Role
We previously looked at the permissions of the “Virtual Machine Contributor” role in the Azure Portal. Let’s see what that looks like using PowerShell.
Use the following script to list the permissions included in the “Virtual Machine Contributor” role:
(Get-AzureRmRoleDefinition -Name "Virtual Machine Contributor").ActionsThe output is going to look something like this:
PS C:\> (Get-AzureRmRoleDefinition -Name "Virtual Machine Contributor").Actions Microsoft.Authorization/*/read Microsoft.Compute/availabilitySets/* Microsoft.Compute/locations/* Microsoft.Compute/virtualMachines/* Microsoft.Compute/virtualMachineScaleSets/* Microsoft.Compute/disks/write Microsoft.Compute/disks/read Microsoft.Compute/disks/delete Microsoft.DevTestLab/schedules/* Microsoft.Insights/alertRules/* Microsoft.Network/applicationGateways/backendAddressPools/join/action Microsoft.Network/loadBalancers/backendAddressPools/join/action Microsoft.Network/loadBalancers/inboundNatPools/join/action Microsoft.Network/loadBalancers/inboundNatRules/join/action Microsoft.Network/loadBalancers/probes/join/action Microsoft.Network/loadBalancers/read Microsoft.Network/locations/* Microsoft.Network/networkInterfaces/* Microsoft.Network/networkSecurityGroups/join/action Microsoft.Network/networkSecurityGroups/read Microsoft.Network/publicIPAddresses/join/action Microsoft.Network/publicIPAddresses/read Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/subnets/join/action Microsoft.RecoveryServices/locations/* Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write Microsoft.RecoveryServices/Vaults/backupPolicies/read Microsoft.RecoveryServices/Vaults/backupPolicies/write Microsoft.RecoveryServices/Vaults/read Microsoft.RecoveryServices/Vaults/usages/read Microsoft.RecoveryServices/Vaults/write Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.SqlVirtualMachine/* Microsoft.Storage/storageAccounts/listKeys/action Microsoft.Storage/storageAccounts/read Microsoft.Support/*
As you can see the permissions typically denote a resource name path (eg. “Microsoft.Network/virtualNetworks”) and a type of permission (e.g. “read”).
List All Users With a Specific RBAC Role
To list all users assigned with a specific RBAC role use the following PowerShell command:
Get-AzureRmRoleAssignment | ? {$_.RoleDefinitionName -eq 'Virtual Machine Contributor'} | ft RoleDefinitionName,DisplayNameThis command will generate output similar to the following:
RoleDefinitionName DisplayName ------------------ ----------- Virtual Machine Contributor Tycho Brahe Virtual Machine Contributor Ole Roemer
List All RBAC Roles For a Specific User
To view all RBAC roles assigned to an individual user (or other identity type), use the following PowerShell command:
Get-AzureRmRoleAssignment | ? {$_.DisplayName -eq 'Tycho Brahe'} | ft RoleDefinitionName,DisplayNameThis command will generate output similar to the following:
RoleDefinitionName DisplayName ------------------ ----------- SQL Server Contributor Tycho Brahe Virtual Machine Contributor Tycho Brahe
List All Assigned RBAC Roles For All Identities
To list all assigned RBAC roles use something like the following PowerShell command:
Get-AzureRmRoleAssignment | ft RoleDefinitionName,DisplayNameThe output from that command may look similar to the following:
RoleDefinitionName DisplayName ------------------ ----------- Virtual Machine Contributor Tycho Brahe Virtual Machine Contributor Ole Roemer SQL Server Contributor Tycho Brahe
Summary
Hopefully this article gave you a good starting point for PowerShell’ing your way through Azure RBAC Roles. Starting from these basic building blocks I’m sure you’ll soon be able to blow your colleagues away with some nice scripts! 😉