AzureSecuritybeginner
Azure RBAC Role Finder
Search and browse Azure built-in RBAC roles by permission or resource type.
CloudToolStack Team5 min readPublished Feb 22, 2026
Prerequisites
Search Azure RBAC Roles
Matching Roles
31 roles foundOwner
GeneralGrants full access to manage all resources, including the ability to assign roles in Azure RBAC.
ID: 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
Contributor
GeneralGrants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
ID: b24988ac-6180-42a0-ab88-20f7382dd24c
Reader
GeneralView all resources, but does not allow you to make any changes.
ID: acdd72a7-3385-48ef-bd42-f606fba81ae7
User Access Administrator
GeneralLets you manage user access to Azure resources.
ID: 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9
Virtual Machine Contributor
ComputeCreate and manage virtual machines, manage disks, install and run software, reset password of the root user using VM extensions, and manage local user accounts using VM extensions.
ID: 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
Virtual Machine Administrator Login
ComputeView Virtual Machines in the portal and login as administrator.
ID: 9106cda0-8a86-4e81-b686-29a22c54effe
Storage Blob Data Owner
StorageProvides full access to Azure Storage blob containers and data, including assigning POSIX access control.
ID: b7e6dc6d-f1e8-4753-8033-0f276bb0955b
Storage Blob Data Contributor
StorageRead, write, and delete Azure Storage containers and blobs.
ID: ba92f5b4-2d11-453d-a403-e96b0029c9fe
Storage Blob Data Reader
StorageRead and list Azure Storage containers and blobs.
ID: 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
Storage Account Contributor
StoragePermits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization.
ID: 17d1049b-9a84-46fb-8f53-869881c3d3ab
Key Vault Administrator
SecurityPerform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets.
ID: 00482a5a-887f-4fb3-b363-3b7fe8e74483
Key Vault Secrets User
SecurityRead secret contents. Only works for key vaults that use the Azure role-based access control permission model.
ID: 4633458b-17de-408a-b874-0445c86b69e6
Key Vault Crypto User
SecurityPerform cryptographic operations using keys. Only works for key vaults that use the Azure role-based access control permission model.
ID: 12338af0-0e69-4776-bea7-57ae8d297424
Network Contributor
NetworkingLets you manage networks, but not access to them.
ID: 4d97b98b-1d4f-4787-a291-c67834d212e7
DNS Zone Contributor
NetworkingLets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them.
ID: a4417e6f-fecd-4de8-b567-7b0420556985
SQL DB Contributor
DatabasesLets you manage SQL databases, but not access to them. Also, you cannot manage their security-related policies or their parent SQL servers.
ID: 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec
SQL Server Contributor
DatabasesLets you manage SQL servers and databases, but not access to them, and not their security-related policies.
ID: 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437
Cosmos DB Account Reader Role
DatabasesCan read Azure Cosmos DB account data.
ID: 230815da-be43-4aae-9cb4-875f7bd000aa
Azure Kubernetes Service Cluster Admin Role
ContainersList cluster admin credential action.
ID: 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8
Azure Kubernetes Service Cluster User Role
ContainersList cluster user credential action.
ID: 4abbcc35-e782-43d8-92c5-2d3f1bd2253f
AcrPush
ContainersPush artifacts to or pull artifacts from a container registry.
ID: 7f951dda-4ed3-4680-a7ca-43fe172d538d
AcrPull
ContainersPull artifacts from a container registry.
ID: 7f951dda-4ed3-4680-a7ca-43fe172d538e
Monitoring Reader
MonitoringCan read all monitoring data (metrics, logs, etc.). See also Get started with roles, permissions, and security with Azure Monitor.
ID: 43d0d8ad-25c7-4714-9337-8ba259a9fe05
Monitoring Contributor
MonitoringCan read all monitoring data and edit monitoring settings. See also Get started with roles, permissions, and security with Azure Monitor.
ID: 749f88d5-cbae-40b8-bcfc-e573ddc772fa
Log Analytics Contributor
MonitoringLog Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs.
ID: 3913510d-42f4-4e42-8a64-420c390055eb
Security Admin
SecurityPermissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.
ID: fb1c8493-542b-48eb-b624-b4c8fea62acd
Security Reader
SecurityPermissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes.
ID: 39bc4728-0917-49c7-9d2c-d95423bc2eb4
Backup Operator
ManagementLets you manage backup services, except removal of backup, vault creation and giving access to others.
ID: 00c29273-979b-4161-815c-10b084fb9324
Cost Management Reader
ManagementCan view cost data and configuration (e.g. budgets, exports).
ID: 72fafb9e-0641-4937-9268-a91bfd8191a3
Logic App Contributor
IntegrationLets you manage logic apps, but not change access to them.
ID: 87a39d53-fc1b-424a-814c-f7e04687dc9e
API Management Service Contributor
IntegrationCan manage service and the APIs.
ID: a]e834ca-e8cb-4b7c-8c74-c015bca009ab
Raw JSON
[
{
"id": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"name": "Owner",
"description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
"category": "General",
"permissions": [
"*"
],
"notActions": [],
"scope": "/"
},
{
"id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"name": "Contributor",
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
"category": "General",
"permissions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action"
],
"scope": "/"
},
{
"id": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"name": "Reader",
"description": "View all resources, but does not allow you to make any changes.",
"category": "General",
"permissions": [
"*/read"
],
"scope": "/"
},
{
"id": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"name": "User Access Administrator",
"description": "Lets you manage user access to Azure resources.",
"category": "General",
"permissions": [
"*/read",
"Microsoft.Authorization/*",
"Microsoft.Support/*"
],
"scope": "/"
},
{
"id": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"name": "Virtual Machine Contributor",
"description": "Create and manage virtual machines, manage disks, install and run software, reset password of the root user using VM extensions, and manage local user accounts using VM extensions.",
"category": "Compute",
"permissions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/delete",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read"
],
"scope": "/"
},
{
"id": "9106cda0-8a86-4e81-b686-29a22c54effe",
"name": "Virtual Machine Administrator Login",
"description": "View Virtual Machines in the portal and login as administrator.",
"category": "Compute",
"permissions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read"
],
"dataActions": [
"Microsoft.Compute/virtualMachines/login/action",
"Microsoft.Compute/virtualMachines/loginAsAdmin/action"
],
"scope": "/"
},
{
"id": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
"name": "Storage Blob Data Owner",
"description": "Provides full access to Azure Storage blob containers and data, including assigning POSIX access control.",
"category": "Storage",
"permissions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/*"
],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
],
"scope": "/"
},
{
"id": "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
"name": "Storage Blob Data Contributor",
"description": "Read, write, and delete Azure Storage containers and blobs.",
"category": "Storage",
"permissions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write"
],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
],
"scope": "/"
},
{
"id": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"name": "Storage Blob Data Reader",
"description": "Read and list Azure Storage containers and blobs.",
"category": "Storage",
"permissions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read"
],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
],
"scope": "/"
},
{
"id": "17d1049b-9a84-46fb-8f53-869881c3d3ab",
"name": "Storage Account Contributor",
"description": "Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization.",
"category": "Storage",
"permissions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.Support/*"
],
"scope": "/"
},
{
"id": "00482a5a-887f-4fb3-b363-3b7fe8e74483",
"name": "Key Vault Administrator",
"description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets.",
"category": "Security",
"permissions": [
"Microsoft.Authorization/*/read",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"dataActions": [
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/vaults/certificates/*",
"Microsoft.KeyVault/vaults/keys/*",
"Microsoft.KeyVault/vaults/secrets/*"
],
"scope": "/"
},
{
"id": "4633458b-17de-408a-b874-0445c86b69e6",
"name": "Key Vault Secrets User",
"description": "Read secret contents. Only works for key vaults that use the Azure role-based access control permission model.",
"category": "Security",
"permissions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action"
],
"scope": "/"
},
{
"id": "12338af0-0e69-4776-bea7-57ae8d297424",
"name": "Key Vault Crypto User",
"description": "Perform cryptographic operations using keys. Only works for key vaults that use the Azure role-based access control permission model.",
"category": "Security",
"permissions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/read",
"Microsoft.KeyVault/vaults/keys/encrypt/action",
"Microsoft.KeyVault/vaults/keys/decrypt/action",
"Microsoft.KeyVault/vaults/keys/wrap/action",
"Microsoft.KeyVault/vaults/keys/unwrap/action",
"Microsoft.KeyVault/vaults/keys/sign/action",
"Microsoft.KeyVault/vaults/keys/verify/action"
],
"scope": "/"
},
{
"id": "4d97b98b-1d4f-4787-a291-c67834d212e7",
"name": "Network Contributor",
"description": "Lets you manage networks, but not access to them.",
"category": "Networking",
"permissions": [
"Microsoft.Authorization/*/read",
"Microsoft.Network/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"scope": "/"
},
{
"id": "a4417e6f-fecd-4de8-b567-7b0420556985",
"name": "DNS Zone Contributor",
"description": "Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them.",
"category": "Networking",
"permissions": [
"Microsoft.Authorization/*/read",
"Microsoft.Network/dnsZones/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"scope": "/"
},
{
"id": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"name": "SQL DB Contributor",
"description": "Lets you manage SQL databases, but not access to them. Also, you cannot manage their security-related policies or their parent SQL servers.",
"category": "Databases",
"permissions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/databases/*",
"Microsoft.Sql/servers/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*"
],
"scope": "/"
},
{
"id": "6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"name": "SQL Server Contributor",
"description": "Lets you manage SQL servers and databases, but not access to them, and not their security-related policies.",
"category": "Databases",
"permissions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/*",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*"
],
"scope": "/"
},
{
"id": "230815da-be43-4aae-9cb4-875f7bd000aa",
"name": "Cosmos DB Account Reader Role",
"description": "Can read Azure Cosmos DB account data.",
"category": "Databases",
"permissions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDB/*/read",
"Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"scope": "/"
},
{
"id": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "Azure Kubernetes Service Cluster Admin Role",
"description": "List cluster admin credential action.",
"category": "Containers",
"permissions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"scope": "/"
},
{
"id": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "Azure Kubernetes Service Cluster User Role",
"description": "List cluster user credential action.",
"category": "Containers",
"permissions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"scope": "/"
},
{
"id": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "AcrPush",
"description": "Push artifacts to or pull artifacts from a container registry.",
"category": "Containers",
"permissions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"scope": "/"
},
{
"id": "7f951dda-4ed3-4680-a7ca-43fe172d538e",
"name": "AcrPull",
"description": "Pull artifacts from a container registry.",
"category": "Containers",
"permissions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"scope": "/"
},
{
"id": "43d0d8ad-25c7-4714-9337-8ba259a9fe05",
"name": "Monitoring Reader",
"description": "Can read all monitoring data (metrics, logs, etc.). See also Get started with roles, permissions, and security with Azure Monitor.",
"category": "Monitoring",
"permissions": [
"*/read",
"Microsoft.OperationalInsights/workspaces/search/action",
"Microsoft.Support/*"
],
"scope": "/"
},
{
"id": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"name": "Monitoring Contributor",
"description": "Can read all monitoring data and edit monitoring settings. See also Get started with roles, permissions, and security with Azure Monitor.",
"category": "Monitoring",
"permissions": [
"*/read",
"Microsoft.AlertsManagement/alerts/*",
"Microsoft.AlertsManagement/alertsSummary/*",
"Microsoft.Insights/actiongroups/*",
"Microsoft.Insights/activityLogAlerts/*",
"Microsoft.Insights/AlertRules/*",
"Microsoft.Insights/components/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Insights/eventtypes/*",
"Microsoft.Insights/LogDefinitions/*",
"Microsoft.Insights/metricalerts/*",
"Microsoft.Insights/MetricDefinitions/*",
"Microsoft.Insights/Metrics/*",
"Microsoft.Insights/Register/Action",
"Microsoft.Insights/scheduledqueryrules/*",
"Microsoft.Insights/webtests/*",
"Microsoft.OperationalInsights/workspaces/intelligencepacks/*",
"Microsoft.OperationalInsights/workspaces/savedSearches/*",
"Microsoft.OperationalInsights/workspaces/search/action",
"Microsoft.OperationalInsights/workspaces/sharedKeys/action",
"Microsoft.OperationalInsights/workspaces/storageinsightconfigs/*",
"Microsoft.Support/*"
],
"scope": "/"
},
{
"id": "3913510d-42f4-4e42-8a64-420c390055eb",
"name": "Log Analytics Contributor",
"description": "Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs.",
"category": "Monitoring",
"permissions": [
"*/read",
"Microsoft.Automation/automationAccounts/*",
"Microsoft.OperationalInsights/workspaces/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
"Microsoft.Support/*"
],
"scope": "/"
},
{
"id": "fb1c8493-542b-48eb-b624-b4c8fea62acd",
"name": "Security Admin",
"description": "Permissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.",
"category": "Security",
"permissions": [
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/policyAssignments/*",
"Microsoft.Authorization/policyDefinitions/*",
"Microsoft.Authorization/policyExemptions/*",
"Microsoft.Authorization/policySetDefinitions/*",
"Microsoft.Security/*",
"Microsoft.Support/*"
],
"scope": "/"
},
{
"id": "39bc4728-0917-49c7-9d2c-d95423bc2eb4",
"name": "Security Reader",
"description": "Permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes.",
"category": "Security",
"permissions": [
"Microsoft.Authorization/*/read",
"Microsoft.Security/*/read",
"Microsoft.Support/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"scope": "/"
},
{
"id": "00c29273-979b-4161-815c-10b084fb9324",
"name": "Backup Operator",
"description": "Lets you manage backup services, except removal of backup, vault creation and giving access to others.",
"category": "Management",
"permissions": [
"Microsoft.Authorization/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
"Microsoft.RecoveryServices/Vaults/backupJobs/*",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/certificates/write",
"Microsoft.RecoveryServices/Vaults/extendedInformation/read",
"Microsoft.RecoveryServices/Vaults/extendedInformation/write",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/*",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"scope": "/"
},
{
"id": "72fafb9e-0641-4937-9268-a91bfd8191a3",
"name": "Cost Management Reader",
"description": "Can view cost data and configuration (e.g. budgets, exports).",
"category": "Management",
"permissions": [
"Microsoft.Consumption/*/read",
"Microsoft.CostManagement/*/read",
"Microsoft.Billing/billingPeriods/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"scope": "/"
},
{
"id": "87a39d53-fc1b-424a-814c-f7e04687dc9e",
"name": "Logic App Contributor",
"description": "Lets you manage logic apps, but not change access to them.",
"category": "Integration",
"permissions": [
"Microsoft.Authorization/*/read",
"Microsoft.Logic/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/connections/*",
"Microsoft.Web/serverFarms/read"
],
"scope": "/"
},
{
"id": "a]e834ca-e8cb-4b7c-8c74-c015bca009ab",
"name": "API Management Service Contributor",
"description": "Can manage service and the APIs.",
"category": "Integration",
"permissions": [
"Microsoft.ApiManagement/service/*",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"scope": "/"
}
]Key Takeaways
- 1Azure provides 120+ built-in RBAC roles across resource types.
- 2The four fundamental roles are Owner, Contributor, Reader, and User Access Administrator.
- 3Custom roles allow fine-grained control when built-in roles are too broad.
- 4Role assignments combine a principal, role definition, and scope.
- 5Always prefer the most specific built-in role before creating custom roles.
Frequently Asked Questions
What is the difference between Owner and Contributor in Azure?
Owner has full access including the ability to assign roles to others. Contributor has full access to manage resources but cannot grant access. Use Contributor for developers who need to create resources but shouldn't manage permissions.
How many custom RBAC roles can I create in Azure?
Each Azure AD tenant supports up to 5,000 custom roles. Custom roles are defined using JSON with Actions, NotActions, DataActions, and NotDataActions arrays and can be scoped to subscriptions or management groups.
Can I assign roles at the resource level in Azure?
Yes. Azure RBAC supports assignment at four scopes: management group, subscription, resource group, and individual resource. More specific scopes are preferred for following least privilege.
How do I find which role grants a specific permission?
Use 'az role definition list --query "[?contains(permissions[0].actions, 'Microsoft.Compute')]"' to search by permission, or use the Azure RBAC Role Finder on this site for interactive browsing.
What are DataActions in Azure RBAC?
DataActions control access to data within a resource (e.g., reading blobs in a storage account) as opposed to Actions which control management operations (e.g., creating a storage account). This separation allows fine-grained data plane access control.
Written by CloudToolStack Team
Cloud engineers and architects with hands-on experience across AWS, Azure, and GCP. We write guides based on real-world production patterns, not just documentation rewrites.
Disclaimer: This guide is for educational purposes. Cloud services change frequently; always refer to official documentation for the latest information. AWS, Azure, and GCP are trademarks of their respective owners.