Start preparing for your Next Exam | Use coupon – TOGETHER | Avail 30% discount

Add or remove a role assignment

  1. Home
  3. Add or remove a role assignment

This tutorial will teach you chiefly to Add or remove a role assignment. Azure role-based access control (Azure RBAC) is the authorization system that can be used by anyone to manage access to Azure resources. To grant permissions, you have to assign roles to users, groups, service principals, or managed identities at a particular scope. 

Add a role assignment

In Azure RBAC, to grant access to an Azure resource, you add a role assignment. Follow these steps to assign a role.

  1. Visit the Azure portal, then choose All services and then select the scope that you want to grant access to. For example, you can choose Management groupsSubscriptionsResource groups, or a resource.
  2. Also, choose the specific resource for that scope.
  3. Furthermore, Click Access control (IAM).
  4. choose the Role assignments tab to view the role assignments at this scope.
Access control (IAM) and Role assignments tab
Image Source – Microsoft
  • Now, choose Add then Add role assignment.
  • However, If you don’t have permissions to assign roles, the Add role assignment option will not be enabled.
Add role assignment menu
Image Source – Microsoft

The Add role assignment pane will open.

Add role assignment pane
Image Source – Microsoft
  • Then, In the Role drop-down list, choose a role as Virtual Machine Contributor.
  • Now, In the Select list, choose a user, group, service principal, or managed identity. If the security principal does not appear in the list, you can type in the Select box to search the directory for display names, email addresses, and object identifiers.
  • Now, select Save to assign the role.

Assign a user as an administrator of a subscription

To make a user an administrator of an Azure subscription, you can assign them the Owner role at the subscription scope. However, The Owner role gives the user full access to all resources in the subscription, including the permission to grant access to others of your team. These steps as follows are the same as any other role assignment.

  1. Firstly, visit Azure portal, click All services and then Subscriptions.
  2. choose the subscription where you want to grant access.
  3. choose Access control (IAM).
  4. Select the Role assignments tab to view the role assignments for this subscription.
  5. choose Add > Add role assignment.
  6. If you don’t have permissions to assign roles, the Add role assignment option will not be enabled.
  7. In the Role drop-down list, choose the Owner role.
  8. In the Select list, choose a user. If the user option does not appear in the list, you can type in the Select box to search the directory for display names and email addresses.
  9. Select Save to assign the role. After some time, the user is assigned the Owner role at the subscription scope.

System-assigned managed identity

Follow the below mentioned steps to assign a role to a system-assigned managed identity by starting with the managed identity.

  1. Visit Azure portal, open a system-assigned managed identity.
  2. In the left menu, choose Identity.
  3. Under Permissions, choose Azure role assignments.
  4. If roles are already assigned to the selected system-assigned managed identity, you will see the list of role assignments. This list includes all role assignments you have permission to read.
  5. To change the subscription, choose the Subscription list.
  6. choose Add role assignment (Preview).
  7. Use the drop-down lists to choose the set of resources that the role assignment applies to such as SubscriptionResource group, or resource.If you don’t have role assignment write permissions for the selected scope, an inline message will be displayed.
  8. In the Role drop-down list, choose a role such as Virtual Machine Contributor.
  9. choose Save to assign the role.

After sometime, the managed identity is assigned the role at the selected scope.

User-assigned managed identity

Follow these below mentioned steps to assign a role to a user-assigned managed identity by starting with the managed identity.

  1. Visit Azure portal, open a user-assigned managed identity.
  2. In the left menu, choose Azure role assignments.If roles are already assigned to the selected user-assigned managed identity, you will see the list of role assignments. This list includes all role assignments you have permission to read.
  3. To change the subscription, choose the Subscription list.
  4. choose Add role assignment (Preview).
  5. Use the drop-down lists to select the set of resources that the role assignment applies to such as SubscriptionResource group, or resource.If you don’t have role assignment write permissions for the selected scope, an inline message will be displayed.
  6. In the Role drop-down list, choose a role such as Virtual Machine Contributor.
  7. choose Save to assign the role. After some time, the managed identity is assigned the role at the selected scope.

Remove a role assignment

In Azure RBAC, to remove access from an Azure resource, you have to remove a role assignment. Follow the below mentioned steps to remove a role assignment.

  1. choose and Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.
  2. choose the Role assignments tab to view all the role assignments for this subscription.
  3. In the list of role assignments, add a checkmark next to the security principal with the role assignment that you wanted to remove.
  4. choose Remove.
  5. In the remove role assignment message that appears, choose Yes.
Remove role assignment message
Image Source – Microsoft
free practice test for AZ- 303

Go back to home page

Reference documentation – Add or remove Azure role assignments using the Azure portal

Menu