Azure, Cloud Computing

3 Mins Read

Create and Assign Custom Roles to Users using Azure Role-Based Access Control


In this article, we will see how to create and assign custom roles to users and the importance of role-based access control in Azure. Also, we will get to know when to use RBAC and how to implement RBAC in any organization. We will use JSON files to create a custom role in Azure.

What is RBAC?

BAC stands for Role-Based access control. We can assign or provide exact roles and permission to any external user or employees using this. We can use the in-built Azure role to provide RBAC or create custom roles using JSON policies. Azure Active Directory (Azure AD) and Role-Based Access Control (RBAC) help organizations to manage and assign roles and permission to the user. In a nutshell, RBAC is an authorization system on Azure that helps provide users with fine-grained access to complete their job.

  • Cloud Migration
  • Devops
  • AIML & IoT
Know More

Why We Need RBAC?

The diagram shows how Azure AD admin and RBAC roles are highly related.


In any organization, we have many roles to complete any job, and to complete the job, employees need access and exact permissions. To provide exact permission to external users or employees within the organization, we need a strong authorization system to give the users fine-grained access.

Azure came with RBAC, which will help organizations to assign exact roles to users, groups, and applications at a certain scope. The scope can be a subscription, a resource group, or a single resource. Role assignment at the parent scope will be applied to the child scope within that parent scope.

How to use RBAC in any Organization?

Azure provides many in-built roles which can be used to assign exact roles required to complete any task. For instance, we can assign a Virtual machine contributor if anyone wants access to manage a virtual machine in the Azure portal. The same goes for other resources present in the Azure portal. Otherwise, we can create a custom role using JSON policy, or Azure create a custom role feature on the Azure portal.

We can assign roles to groups, users, and applications. If we want to provide the same access to multiple users, we can create a group of that users and assign the role to the group. Similarly, we can use a management group as a scope for multiple subscriptions and assign the role to the management group.

In-built roles in Azure

Azure provides many in-built roles which can be used to provide direct access to users without any difficulty in creating any roles.

Some of the popular roles in Azure are:

Owner: This role provides owner access to the user, and users have full access to manage resources and assign roles to users.

Contributor: This role will grant access to manage resources but not give permission to assign roles to users.

Reader: This role will give access to view all resources but cannot create or update resources.

User Access Administrator: This role will let you manage user access to Azure resources.

Assign roles through JSON

Azure provides a feature to create a custom role using json policy. Json policy contains many fields where we define Actions and DataActions.

Actions – NotActions = Effective management permissions

DataActions – NotDataActions = Effective data permissions

Assignable Scope – /Subscription/management Group/resource Group

Here this JSON policy has contributor access to the scope:


This article taught us about Azure RBAC and when to use RBAC. Role-Based Access Control (RBAC) allows us to assign the exact permission required to perform any certain task. Azure has many in-built roles which will give required access. If we want custom roles, Azure also allows us to create your role and assign it to desired users. RBAC provides roles for each resource so that no extra permission is granted to users who do not need it. We cannot assign roles to subscriptions; we can only give roles to users, groups, resource groups, and resources. Parents scope role will be inherited to the child’s scope also.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding Azure RBAC and I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package that is CloudThat’s offerings.


1. Can we assign roles to a subscription?

ANS: – No, we can create a role in the subscription scope.

2. Can we add more than one role to a user?

ANS: – Yes, we can add multiple roles to users.

WRITTEN BY Kishan Singh

Kishan Singh works as Research Associate (Infra, Migration, and Security) at CloudThat. He is Azure Administrator and Azure Developer certified. He is highly organized and an excellent communicator with good experience in Cyber Security and Cloud technologies. He works with a positive attitude and has a good problem-solving approach.



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!