Azure provides much flexible role-based access control for Azure resources through which you can efficiently manage users access to azure resources, can allow the level of permission, and can identify their access to various resources. This access control is called as Azure role-based access control i.e., Azure RBAC.

To know more details, on the concept of Azure RBAC, You can check my previous article:

In this article, I will show how to manage role-based access control form Azure Portal. I will demonstrate step by step Azure RBAC with Azure app service, however, the process for any other resources, groups, and subscriptions is same.

The first Step is to login in Azure portal. If you do not have any subscriptions, then you can create a trail one.

After login to the azure portal, we will see screen something like as shown below with our recent resources.

We can choose any one the resource where we can manage the access/permissions. In my case, I am selecting one of my app service, however the process is same for every resources/service, resource groups, or subscriptions.

After that, we will select Access Control as shown:

Let me explain some the options in this page.

Add: On clicking this, we will get option for role assignment or co-administrator.

Download role assignments: We can download the exiting role assignments in a csv or json file.

Check access: We can check the access details of any user, group, or service principal. Additionally, we can view current user access.

Role Assignments: This option will give the list of users, groups and service principals with their role and scopes who are having access to this app service as given.

I have highlighted the necessary areas in this role assignments list view. We can all the users with their role and scope. Additionally, we can use filters of different types.

Roles and Roles (Preview): Roles option gives list of all the roles available, both built-in and custom created. Roles (preview) gives role with descriptions. We can add custom roles and can remove any roles from this screen.

Deny Assignments: This option will show you list of deny access. Deny assignments block users from performing specific actions even if a role assignment grants them access. At this time, the only way you can add your own deny assignments is by using Azure Blueprints.

Classic Administrators: List of administrators. Also, we will have option to remove the administrator based on permissions.

Grant Access or Add Role Assignments

In this section, I will show how to provide access to resource by assigning role to user(s) or group(s). We can do role assignments from the two options as shown:

As shown in above image with highlighted red, we can do role assignments to users with two options.

First, Click on Add role assignment then we will get options as depicted.

We will get three options to choose: Role, Assign access to (type of users/security principal) and Select (users).

Role: we use this option to select the role which we are going to assign. Here are the list roles available to azure app service:

There are several roles available for this app service like owner, contributor, reader, log analytics related, managed application related, monitoring related, user access administrator, website contributor etc.

Note: Role list can be different based on the resources like azure app service, azure SQL service, azure VM, resource group, subscriptions etc. will have different roles types.

However, there are some common roles like owner, contributor, reader etc. to every azure resources.

Assign access to: This option means to assign access to users, group, or security principal. Additionally, we can give access to system assigned managed identity like another app service, container instance, azure resources like data factory, function app, logic app, signalR Service, VMs likewise.

We can give access to system managed identity of other subscriptions as well as shown:

After selecting role and then access to like azure app, or any other system managed identity then we will get option to select subscription and resource form that subscription as portrayed:

Similarly, if we select user, group, or service principal then we will get option select users or groups as shown below:

Note: we can search and add single or multiple users from our organization or guest users.

Finally, we can grant access to users by selecting a role, assign access to, users and save it as depicted.

This is how, we can assign or grant access to azure resources that is called as Azure RBAC role-based access control.


In this article, I have demonstrated how to grant access to azure resources in details which is also called as Azure RBAC role-based access control. I have exemplified step by step using Azure App service with complete Azure RBAC and available additional options. However, the processes are same for another azure resources, resource groups, and subscriptions. Then again, role list/options might be different based on type of resources.

By Rijwan Ansari

Research and Technology Lead | Software Architect | Full Stack .NET Expert | Tech Blogger | Community Speaker | Trainer | YouTuber. Follow me @ Md Rijwan Ansari is a high performing and technology consultant with 10 plus years of Software Development and Business Applications implementation using .NET Technologies, SharePoint, Power Platform, Data, AI, Azure and cognitive services. He is also a Microsoft Certified Trainer, C# Corner MVP, Microsoft Certified Data Analyst Associate, Microsoft Certified Azure Data Scientist Associate, CSM, CSPO, MCTS, MCP, with 15+ Microsoft Certifications. He is a research and technology lead in Tech One Global as well as leading Facebook community Cloud Experts Group and SharePoint User Group Nepal. He is a active contributor and speaker in community, C# Corner MVP and his rank at 20 among 3+ millions members. Additionally, he is knee to learn new technologies, write articles, love to contribute to the open-source community. Visit his blog RIJSAT.COM for extensive articles, courses, news, videos and issues resolution specially for developer and data engineer.

Leave a Reply

Your email address will not be published. Required fields are marked *