title | description | services | author | manager | ms.service | ms.topic | ms.custom | ms.date | ms.author |
---|---|---|---|---|---|---|---|---|---|
Quickstart: Assign an Azure role using Bicep - Azure RBAC |
Learn how to grant access to Azure resources for a user at resource group scope using Bicep and Azure role-based access control (Azure RBAC). |
role-based-access-control,azure-resource-manager |
rolyon |
amycolannino |
role-based-access-control |
quickstart |
subject-armqs, mode-arm, devx-track-bicep |
12/01/2023 |
rolyon |
Azure role-based access control (Azure RBAC) is the way that you manage access to Azure resources. In this quickstart, you create a resource group and grant a user access to create and manage virtual machines in the resource group. This quickstart uses Bicep to grant the access.
[!INCLUDE About Bicep]
To assign Azure roles and remove role assignments, you must have:
- If you don't have an Azure subscription, create a free account before you begin.
Microsoft.Authorization/roleAssignments/write
andMicrosoft.Authorization/roleAssignments/delete
permissions, such as Role Based Access Control Administrator.- To assign a role, you must specify three elements: security principal, role definition, and scope. For this quickstart, the security principal is you or another user in your directory, the role definition is Virtual Machine Contributor, and the scope is a resource group that you specify.
The Bicep file used in this quickstart is from Azure Quickstart Templates. The Bicep file has two parameters and a resources section. In the resources section, notice that it has the three elements of a role assignment: security principal, role definition, and scope.
:::code language="bicep" source="~/quickstart-templates/quickstarts/microsoft.authorization/rbac-builtinrole-resourcegroup/main.bicep":::
The resource defined in the Bicep file is:
-
Save the Bicep file as main.bicep to your local computer.
-
Deploy the Bicep file using either Azure CLI or Azure PowerShell.
az group create --name exampleRG --location eastus az deployment group create --resource-group exampleRG --template-file main.bicep --parameters roleDefinitionID=9980e02c-c2be-4d73-94e8-173b1dc7cf3c principalId=<principal-id>
New-AzResourceGroup -Name exampleRG -Location eastus New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -roleDefinitionID "9980e02c-c2be-4d73-94e8-173b1dc7cf3c" -principalId "<principal-id>"
Note
Replace <principal-id> with the principal ID assigned to the role.
When the deployment finishes, you should see a message indicating the deployment succeeded.
Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.
az role assignment list --resource-group exampleRG
Get-AzRoleAssignment -ResourceGroupName exampleRG
When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to remove the role assignment. For more information, see Remove Azure role assignments.
Use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group.
az group delete --name exampleRG
Remove-AzResourceGroup -Name exampleRG
[!div class="nextstepaction"] Tutorial: Grant a user access to Azure resources using Azure PowerShell