add role assignment is disabled

SOLVED: Azure Global Admin Cannot Add Roles in Access Control (IAM) Storage / Shares

Published by ian matthews on january 19, 2024 january 19, 2024.

We’ve recently had a client who was quite confused about what Global Admin rights actually provided for rights to their Azure account. They wanted a tech with Global Admin rights to add a ROLE ASSIGNMENT (i.e. give permission to access) an Azure File Share, but when they tried, they saw ADD ROLE ASSIGNMENT (link under ADD at the top of the page) was disabled and the ADD ROLE ASSIGNMENT button (at the bottom of the page) was grayed out.

Global Admin allows for full user and VM control, as well as the ability to add yourself to other roles… but Global Admin does not immediately provide access to all Azure Features. Fortunately, it is easy for Global Admin’s to expand their rights.

Access Control (IAM) activities in an Azure Subscription require you to be an Owner or User Access Administrator role in that Azure subscription. So Azure Global Admin’s have two easy options:

• Ask someone who is the OWNER or USER ACCESS ADMINISTRATOR to add them
• Become an Azure Subscription Administrator

The first option is pretty obvious so we will leave that one, but how to become a full Global Administrator is slightly more difficult.

How To Add an Azure Subscription Administrator

In our case, our client wanted their Global Administrator to be able to make permission changes to all of their Azure Storage accounts and all of their Azure File Shares. Here we show you how to elevate access to manage all Azure subscriptions and management groups.

• Sign into https://portal.azure.com
• Activate your Global Administrator via PIM
• Search for and click on MICROSOFT ENTRA ID (formerly Azure AD Active Directory)
• Click PROPERTIES, from the menu on the left
• Click the ACCESS MANAGEMENT FOR AZURE RESOURCES slider to YES
• Click SAVE button (bottom of the page

You have to wait about 2 minutes for this to fully take hold but after that you can simply refresh the page and you should then be able to access your and modify Access Management AIM in Azure File Shares or elsewhere, without problem.

SOLVED: How To Activate Global Administrator via Azure Privileged Identity Management (PIM) – Up & Running Technologies, Tech How To's · January 19, 2024 at 2:40 pm

[…] GLOBAL ADMINISTRATOR (or any other role you want), and click the ACTIVATE link in the ACTION […]

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Related Posts

SOLVED: Partner Launch Benefits vs Microsoft Action Pack

If you are a Microsoft partner you will probably have become aware that in January the Microsoft Action Pack that has been around for the better part of two decades is going away. There are Read more…

SOLVED: What Is IaaSVmProvider Service?

We recently detailed the top 100 Windows Services because our technicians frequently need to know where they came from, what the default user is, and what those services really do. However, the IaaSVmProvider service did Read more…

SOLVED: How To Deactivate A Microsoft Office 365 Activation

Microsoft Office 365 licenses allow each user to install M365 on up to 5 different devices. So the question arises what happens when you have your 6th device? The answer is you will get error Read more…

61170/assignment-option-disabled-while-trying-assign-using-portal

• Cloud Computing
• Add role assignment option is disabled while...

Add role assignment option is disabled while trying to assign a role to a user using portal

• cloud-computing
• microsoft-azure
• azure-management
• azure-portal

Your comment on this question:

1 answer to this question., your answer.

If you don't have permissions to assign roles, the Add role assignment option will be disabled. 

To add or remove role assignments, you must have:

Microsoft.Authorization/roleAssignments/write  

Microsoft.Authorization/roleAssignments/delete  permissions, such as User Access Administrator or Owner

Ensure you have these permissions. 

• ask related question

Your comment on this answer:

Related questions in azure, how to add a body to a httpwebrequest that is being used with the azure service management api.

The following code should help: byte[] buf = ... READ MORE

• cloudcomputing
• azure-career

Unable to update an existing custom role using Azure portal.

If you are unable to update an ... READ MORE

Can't create a new resource group using Azure portal despite of having owner role assigned.

It is a by design behavior because ... READ MORE

Failed to get access token by using service principal. ADAL Error: service_unavailable while trying copy activity using datafactory

When the Service Token Server (STS) owned ... READ MORE

• azure-datafactory

How do I change the time duration to prevent sign out from azure portal due to inactivity?

The inactivity timeout setting helps to protect ... READ MORE

Is it possible to override default inactive timeout setting enabled by the admin?

Yes, If an admin has made a ... READ MORE

How to set a directory level inactivity timeout for the azure portal?

If you’re an admin, and you want ... READ MORE

Disable pop-up notifications on the azure portal.

To disable pop-up notifications, de-select the Enable pop-up notifications checkbox. This ... READ MORE

How do I assign a role to a particular user using the Azure portal?

Follow these steps to assign a role ... READ MORE

"No more role assignments can be created (code: RoleAssignmentLimitExceeded)" while trying to assign roles using azure portal.

If you get this error message try to reduce ... READ MORE

• All categories

Join the world's most active Tech Community!

Welcome back to the world's most active tech community.

At least 1 upper-case and 1 lower-case letter

Minimum 8 characters and Maximum 50 characters

Subscribe to our Newsletter, and get personalized recommendations.

Already have an account? Sign in .

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Troubleshoot Azure RBAC

• 16 contributors

This article describes some common solutions for issues related to Azure role-based access control (Azure RBAC).

Azure role assignments

Symptom - add role assignment option is disabled.

You're unable to assign a role in the Azure portal on Access control (IAM) because the Add > Add role assignment option is disabled

You're currently signed in with a user that doesn't have permission to assign roles at the selected scope.

Check that you're currently signed in with a user that is assigned a role that has the Microsoft.Authorization/roleAssignments/write permission such as Role Based Access Control Administrator at the scope you're trying to assign the role.

Symptom - Roles or principals are not listed

When you try to assign a role in the Azure portal, some roles or principals are not listed. For example, on the Role tab, you see a reduced set of roles.

Or, on the Select members pane, you see a reduced set of principals.

There are restrictions on the role assignments you can add. For example, you are constrained in the roles that you can assign or constrained in the principals you can assign roles to.

View the roles assigned to you . Check if there is a condition that constrains the role assignments you can add. For more information, see Delegate Azure access management to others .

Symptom - Unable to assign a role

You are unable to assign a role and you get an error similar to the following:

Failed to add {securityPrincipal} as {role} for {scope} : The client '{clientName}' with object id '{objectId}' does not have authorization or an ABAC condition not fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/{subscriptionId}/Microsoft.Authorization/roleAssignments/{roleAssignmentId}' or the scope is invalid. If access was recently granted, please refresh your credentials.

You are currently signed in with a user that does not have permission to assign roles at the selected scope.

Check that you are currently signed in with a user that is assigned a role that has the Microsoft.Authorization/roleAssignments/write permission such as Role Based Access Control Administrator at the scope you are trying to assign the role.

Symptom - Unable to assign a role using a service principal with Azure CLI

You're using a service principal to assign roles with Azure CLI and you get the following error:

Insufficient privileges to complete the operation

For example, let's say that you have a service principal that has been assigned the Owner role and you try to create the following role assignment as the service principal using Azure CLI:

It's likely Azure CLI is attempting to look up the assignee identity in Microsoft Entra ID and the service principal can't read Microsoft Entra ID by default.

There are two ways to potentially resolve this error. The first way is to assign the Directory Readers role to the service principal so that it can read data in the directory.

The second way to resolve this error is to create the role assignment by using the --assignee-object-id parameter instead of --assignee . By using --assignee-object-id , Azure CLI will skip the Microsoft Entra lookup. You'll need to get the object ID of the user, group, or application that you want to assign the role to. For more information, see Assign Azure roles using Azure CLI .

Symptom - Assigning a role to a new principal sometimes fails

You create a new user, group, or service principal and immediately try to assign a role to that principal and the role assignment sometimes fails. You get a message similar to following error:

The reason is likely a replication delay. The principal is created in one region; however, the role assignment might occur in a different region that hasn't replicated the principal yet.

If you're creating a new user or service principal using the REST API or ARM template, set the principalType property when creating the role assignment using the Role Assignments - Create API.

For more information, see Assign Azure roles to a new service principal using the REST API or Assign Azure roles to a new service principal using Azure Resource Manager templates .

If you're creating a new user or service principal using Azure PowerShell, set the ObjectType parameter to User or ServicePrincipal when creating the role assignment using New-AzRoleAssignment . The same underlying API version restrictions of Solution 1 still apply. For more information, see Assign Azure roles using Azure PowerShell .

If you're creating a new group, wait a few minutes before creating the role assignment.

Symptom - ARM template role assignment returns BadRequest status

When you try to deploy a Bicep file or ARM template that assigns a role to a service principal you get the error:

Tenant ID, application ID, principal ID, and scope are not allowed to be updated. (code: RoleAssignmentUpdateNotPermitted)

For example, if you create a role assignment for a managed identity, then you delete the managed identity and recreate it, the new managed identity has a different principal ID. If you try to deploy the role assignment again and use the same role assignment name, the deployment fails.

The role assignment name isn't unique, and it's viewed as an update.

Role assignments are uniquely identified by their name, which is a globally unique identifier (GUID). You can't create two role assignments with the same name, even in different Azure subscriptions. You also can't change the properties of an existing role assignment.

Provide an idempotent unique value for the role assignment name . It's a good practice to create a GUID that uses the scope, principal ID, and role ID together. It's a good idea to use the guid() function to help you to create a deterministic GUID for your role assignment names, like in this example:

• ARM template

For more information, see Create Azure RBAC resources by using Bicep .

Symptom - Role assignments with identity not found

In the list of role assignments for the Azure portal, you notice that the security principal (user, group, service principal, or managed identity) is listed as Identity not found with an Unknown type.

If you list this role assignment using Azure PowerShell, you might see an empty DisplayName and SignInName , or a value for ObjectType of Unknown . For example, Get-AzRoleAssignment returns a role assignment that is similar to the following output:

Similarly, if you list this role assignment using Azure CLI, you might see an empty principalName . For example, az role assignment list returns a role assignment that is similar to the following output:

You recently invited a user when creating a role assignment and this security principal is still in the replication process across regions.

Wait a few moments and refresh the role assignments list.

You deleted a security principal that had a role assignment. If you assign a role to a security principal and then you later delete that security principal without first removing the role assignment, the security principal will be listed as Identity not found and an Unknown type.

It isn't a problem to leave these role assignments where the security principal has been deleted. If you like, you can remove these role assignments using steps that are similar to other role assignments. For information about how to remove role assignments, see Remove Azure role assignments .

In PowerShell, if you try to remove the role assignments using the object ID and role definition name, and more than one role assignment matches your parameters, you'll get the error message: The provided information does not map to a role assignment . The following output shows an example of the error message:

If you get this error message, make sure you also specify the -Scope or -ResourceGroupName parameters.

Symptom - Cannot delete the last Owner role assignment

You attempt to remove the last Owner role assignment for a subscription and you see the following error:

Cannot delete the last RBAC admin assignment

Removing the last Owner role assignment for a subscription isn't supported to avoid orphaning the subscription.

If you want to cancel your subscription, see Cancel your Azure subscription .

You're allowed to remove the last Owner (or User Access Administrator) role assignment at subscription scope, if you're a Global Administrator for the tenant or a classic administrator (Service Administrator or Co-Administrator) for the subscription. In this case, there's no constraint for deletion. However, if the call comes from some other principal, then you won't be able to remove the last Owner role assignment at subscription scope.

Symptom - Role assignment isn't moved after moving a resource

If you move a resource that has an Azure role assigned directly to the resource (or a child resource), the role assignment isn't moved and becomes orphaned.

After you move a resource, you must re-create the role assignment. Eventually, the orphaned role assignment will be automatically removed, but it's a best practice to remove the role assignment before moving the resource. For information about how to move resources, see Move resources to a new resource group or subscription .

Symptom - Role assignment changes are not being detected

You recently added or updated a role assignment, but the changes aren't being detected. You might see the message Status: 401 (Unauthorized) .

Azure Resource Manager sometimes caches configurations and data to improve performance.

When you assign roles or remove role assignments, it can take up to 10 minutes for changes to take effect. If you're using the Azure portal, Azure PowerShell, or Azure CLI, you can force a refresh of your role assignment changes by signing out and signing in. If you're making role assignment changes with REST API calls, you can force a refresh by refreshing your access token.

You added managed identities to a group and assigned a role to that group. The back-end services for managed identities maintain a cache per resource URI for around 24 hours.

It can take several hours for changes to a managed identity's group or role membership to take effect. For more information, see Limitation of using managed identities for authorization .

Symptom - Role assignment changes at management group scope are not being detected

You recently added or updated a role assignment at management group scope, but the changes are not being detected.

When you assign roles or remove role assignments, it can take up to 10 minutes for changes to take effect. If you add or remove a built-in role assignment at management group scope and the built-in role has DataActions , the access on the data plane might not be updated for several hours. This applies only to management group scope and the data plane. Custom roles with DataActions can't be assigned at the management group scope.

Symptom - Role assignments for management group changes are not being detected

You created a new child management group and the role assignment on the parent management group is not being detected for the child management group.

It can take up to 10 minutes for the role assignment for the child management group to take effect. If you are using the Azure portal, Azure PowerShell, or Azure CLI, you can force a refresh of your role assignment changes by signing out and signing in. If you are making role assignment changes with REST API calls, you can force a refresh by refreshing your access token.

Symptom - Removing role assignments using PowerShell takes several minutes

You use the Remove-AzRoleAssignment command to remove a role assignment. You then use the Get-AzRoleAssignment command to verify the role assignment was removed for a security principal. For example:

The Get-AzRoleAssignment command indicates that the role assignment wasn't removed. However, if you wait 5-10 minutes and run Get-AzRoleAssignment again, the output indicates the role assignment was removed.

The role assignment has been removed. However, to improve performance, PowerShell uses a cache when listing role assignments. There can be delay of around 10 minutes for the cache to be refreshed.

Instead of listing the role assignments for a security principal, list all the role assignments at the subscription scope and filter the output. For example, the following command:

Can be replaced with this command instead:

Custom roles

Symptom - unable to update or delete a custom role.

You're unable to update or delete an existing custom role.

You're currently signed in with a user that doesn't have permission to update or delete custom roles.

Check that you're currently signed in with a user that is assigned a role that has the Microsoft.Authorization/roleDefinitions/write permission such as User Access Administrator .

The custom role includes a subscription in assignable scopes and that subscription is in a disabled state .

Reactivate the disabled subscription and update the custom role as needed. For more information, see Reactivate a disabled Azure subscription .

Symptom - Unable to create or update a custom role

When you try to create or update a custom role, you get an error similar to following:

The client '<clientName>' with object id '<objectId>' has permission to perform action 'Microsoft.Authorization/roleDefinitions/write' on scope '/subscriptions/<subscriptionId>'; however, it does not have permission to perform action 'Microsoft.Authorization/roleDefinitions/write' on the linked scope(s)'/subscriptions/<subscriptionId1>,/subscriptions/<subscriptionId2>,/subscriptions/<subscriptionId3>' or the linked scope(s)are invalid

This error usually indicates that you don't have permissions to one or more of the assignable scopes in the custom role.

Try the following:

• Review Who can create, delete, update, or view a custom role and check that you have permissions to create or update the custom role for all assignable scopes.
• If you don't have permissions, ask your administrator to assign you a role that has the Microsoft.Authorization/roleDefinitions/write action, such as User Access Administrator , at the scope of the assignable scope.
• Check that all the assignable scopes in the custom role are valid. If not, remove any invalid assignable scopes.

For more information, see the custom role tutorials using the Azure portal , Azure PowerShell , or Azure CLI .

Symptom - Unable to delete a custom role

You're unable to delete a custom role and get the following error message:

There are existing role assignments referencing role (code: RoleDefinitionHasAssignments)

There are role assignments still using the custom role.

Remove the role assignments that use the custom role and try to delete the custom role again. For more information, see Find role assignments to delete a custom role .

Symptom - Unable to add more than one management group as assignable scope

When you try to create or update a custom role, you can't add more than one management group as assignable scope.

You can define only one management group in AssignableScopes of a custom role.

Define one management group in AssignableScopes of your custom role. For more information about custom roles and management groups, see Organize your resources with Azure management groups .

Symptom - Unable to add data actions to custom role

When you try to create or update a custom role, you can't add data actions or you see the following message:

You cannot add data action permissions when you have a management group as an assignable scope

You're trying to create a custom role with data actions and a management group as assignable scope. Custom roles with DataActions can't be assigned at the management group scope.

Create the custom role with one or more subscriptions as the assignable scope. For more information about custom roles and management groups, see Organize your resources with Azure management groups .

Access denied or permission errors

Symptom - authorization failed.

When you try to create a resource, you get the following error message:

The client with object id does not have authorization to perform action over scope (code: AuthorizationFailed)

You're currently signed in with a user that doesn't have write permission to the resource at the selected scope.

Check that you're currently signed in with a user that is assigned a role that has write permission to the resource at the selected scope. For example, to manage virtual machines in a resource group, you should have the Virtual Machine Contributor role on the resource group (or parent scope). For a list of the permissions for each built-in role, see Azure built-in roles .

The currently signed in user has a role assignment with the following criteria:

• Role includes a Microsoft.Storage data action
• Role assignment includes an ABAC condition that uses a GUID comparison operators

At this time, you can't have a role assignment with a Microsoft.Storage data action and an ABAC condition that uses a GUID comparison operator. Here are a couple of options to resolve this error:

• If the role is a custom role, remove any Microsoft.Storage data actions
• Modify the role assignment condition so that it does not use GUID comparison operators

Symptom - Guest user gets authorization failed

When a guest user tries to access a resource, they get an error message similar to the following:

The client '<client>' with object id '<objectId>' does not have authorization to perform action '<action>' over scope '<scope>' or the scope is invalid.

The guest user doesn't have permissions to the resource at the selected scope.

Check that the guest user is assigned a role with least privileged permissions to the resource at the selected scope. For more information, Assign Azure roles to external users using the Azure portal .

Symptom - Unable to create a support request

When you try to create or update a support ticket, you get the following error message:

You don't have permission to create a support request

You're currently signed in with a user that doesn't have permission to the create support requests.

Check that you're currently signed in with a user that is assigned a role that has the Microsoft.Support/supportTickets/write permission, such as Support Request Contributor .

Azure features are disabled

Symptom - some web app features are disabled.

A user has read access to a web app and some features are disabled.

If you grant a user read access to a web app, some features are disabled that you might not expect. The following management capabilities require write access to a web app and aren't available in any read-only scenario.

• Commands (like start, stop, etc.)
• Changing settings like general configuration, scale settings, backup settings, and monitoring settings
• Accessing publishing credentials and other secrets like app settings and connection strings
• Streaming logs
• Resource logs configuration
• Console (command prompt)
• Active and recent deployments (for local git continuous deployment)
• Estimated spend
• Virtual network (only visible to a reader if a virtual network has previously been configured by a user with write access).

Assign the Contributor or another Azure built-in role with write permissions for the web app.

Symptom - Some web app resources are disabled

A user has write access to a web app and some features are disabled.

Web apps are complicated by the presence of a few different resources that interplay. Here's a typical resource group with a couple of websites:

As a result, if you grant someone access to just the web app, much of the functionality on the website blade in the Azure portal is disabled.

These items require write access to theApp Service plan that corresponds to your website:

• Viewing the web app's pricing tier (Free or Standard)
• Scale configuration (number of instances, virtual machine size, autoscale settings)
• Quotas (storage, bandwidth, CPU)

These items require write access to the whole Resource group that contains your website:

• TLS/SSL Certificates and bindings (TLS/SSL certificates can be shared between sites in the same resource group and geo-location)
• Alert rules
• Autoscale settings
• Application insights components

Assign an Azure built-in role with write permissions for the app service plan or resource group.

Symptom - Some virtual machine features are disabled

A user has access to a virtual machine and some features are disabled.

Similar to web apps, some features on the virtual machine blade require write access to the virtual machine, or to other resources in the resource group.

Virtual machines are related to Domain names, virtual networks, storage accounts, and alert rules.

These items require write access to the virtual machine:

• IP addresses

These require write access to both the virtual machine, and the resource group (along with the Domain name) that it is in:

• Availability set
• Load balanced set

If you can't access any of these tiles, ask your administrator for Contributor access to the Resource group.

Assign an Azure built-in role with write permissions for the virtual machine or resource group.

Symptom - Some function app features are disabled

A user has access to a function app and some features are disabled. For example, they can click the Platform features tab and then click All settings to view some settings related to a function app (similar to a web app), but they can't modify any of these settings.

Some features of Azure Functions require write access. For example, if a user is assigned the Reader role, they won't be able to view the functions within a function app. The portal displays (No access) .

Assign an Azure built-in role with write permissions for the function app or resource group.

Transferring a subscription to a different directory

Symptom - all role assignments are deleted after transferring a subscription.

When you transfer an Azure subscription to a different Microsoft Entra directory, all role assignments are permanently deleted from the source Microsoft Entra directory and aren't migrated to the target Microsoft Entra directory.

You must re-create your role assignments in the target directory. You also have to manually recreate managed identities for Azure resources. For more information, see Transfer an Azure subscription to a different Microsoft Entra directory and FAQs and known issues with managed identities .

Symptom - Unable to access subscription after transferring a subscription

If you're a Microsoft Entra Global Administrator and you don't have access to a subscription after it was transferred between directories, use the Access management for Azure resources toggle to temporarily elevate your access to get access to the subscription.

Classic subscription administrators

As of August 31, 2024 , Azure classic administrator roles (along with Azure classic resources and Azure Service Manager) are retired and no longer supported. If you still have active Co-Administrator or Service Administrator role assignments, convert these role assignments to Azure RBAC immediately.

For more information, see Azure classic subscription administrators .

• Troubleshoot for external users
• Assign Azure roles using the Azure portal
• View activity logs for Azure RBAC changes

Was this page helpful?

Additional resources

• Configuring Subscription and Resource Permissions

Go back to AZ-500 Tutorials

In this tutorial, we will understand configuring subscription and resource permissions including adding or removing Azure role assignments using the Azure portal.

Configuring subscription and resource permissions is an important aspect of managing resources in Microsoft Azure. Permissions allow users and services to perform actions on resources within a subscription, and are necessary to control access and limit privileges. Here’s a brief overview of how to configure subscription and resource permissions in Azure:

• Understanding the Role-Based Access Control (RBAC) Model: Azure uses the RBAC model to manage access to resources. In this model, users and services are assigned roles, which determine the actions they can perform on resources. There are three types of roles in Azure: Owner, Contributor, and Reader. Owners have full control over resources, Contributors can create and manage resources, and Readers can only view resources.
• Assigning Permissions to Users and Services: To assign permissions to users and services, you need to create a role assignment. This involves selecting a role and specifying a user or service principal to assign it to. Service principals are identities used by Azure services to authenticate with other Azure services.
• Configuring Permissions for Resources: Permissions can also be configured for individual resources within a subscription. To do this, you can create a custom role that specifies the actions that can be performed on the resource, and then assign that role to a user or service principal.
• Managing Permissions: Once permissions have been assigned, you can manage them using the Azure portal, PowerShell, or the Azure CLI. This involves reviewing and modifying existing role assignments, creating new role assignments, and deleting role assignments that are no longer needed.

Adding a role assignment

In Azure RBAC, for granting access to an Azure resource, you add a role assignment. For assigning role follow these steps:

• Firstly, in the Azure portal, click All services and then select the scope that you want to grant access to. 
• Secondly, click the specific resource for that scope.
• Thirdly, click Access control (IAM).
• Then, click the Role assignments tab to view the role assignments at this scope.
• Fifthly, click Add > Add role assignment. However, if you don’t have permission to assign roles, the Add role assignment option will be disabled. Then, the Add role assignment pane opens.
• After that, in the Role drop-down list, select a role such as Virtual Machine Contributor.
• Then, in the Select list, select a user, group, service principal, or managed identity. However, if you don’t see the security principal in the list, then you can type in the Select box for searching the directory for display names, email addresses, and object identifiers.
• Lastly, click Save to assign the role. And after a few moments, the security principal is assigned the role at the selected scope.

Assigning a user as an administrator of a subscription

For making a user an administrator of an Azure subscription, assign them the Owner role at the subscription scope. As the Owner role gives the user full access to all resources in the subscription, including the permission to grant access to others. 

• Firstly, in the Azure portal, click All services and then Subscriptions.
• Secondly, click the subscription where you want to grant access.
• Fourthly, click the Role assignments tab to view the role assignments for this subscription.
• Then, click Add > Add role assignment. However, if you don’t have permissions to assign roles, the Add role assignment option will be disabled.
• Next, in the Role drop-down list, select the Owner role.
• After that, in the Select list, select a user. However, if you don’t see the user in the list, you can type in the Select box to search the directory for display names and email addresses.
• Lastly, click Save to assign the role.

System-assigned managed identity

Follow the steps given below for assigning a role to a system-assigned managed identity by starting with the managed identity.

• Firstly, in the Azure portal, open a system-assigned managed identity.
• Secondly, in the left menu, click Identity.
• Thirdly, under Permissions, click Azure role assignments. However, if roles are already assigned to the selected system-assigned managed identity, you see the list of role assignments.
• Then, for changing the subscription, click the Subscription list.
• Next, click Add role assignment (Preview).
• After that, use the drop-down lists to select the set of resources that the role assignment applies to such as Subscription, Resource group, or resource. However, if you don’t have role assignment write permissions for the selected scope, an inline message will be displayed.
• Then, in the Role drop-down list, select a role such as Virtual Machine Contributor.

Removing a role assignment

In Azure RBAC, for removing access from an Azure resource, you remove a role assignment. Follow the given steps for removing a role assignment.

• Firstly, Open Access control (IAM) at a scope like management group, subscription, resource group, or resource, where you want to remove access.
• Secondly, click the Role Assignments tab to view all the role assignments for this subscription.
• Thirdly, in the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.
• After that, click Remove.
• Lastly, in the remove role assignment message that appears, click Yes.

However, if you see a message that inherited role assignments cannot be removed, you are trying to remove a role assignment at a child’s scope. Then, you should open Access control (IAM) at the scope where the role was assigned and try again. For this, a simpler way to open Access control (IAM) at the correct scope is to look at the Scope column and click the link next to (Inherited).

AZ-500 Exam Practice Questions

Question: you need to grant a user the ability to create and manage virtual machines in a specific resource group. what role should you assign to the user.

B. Contributor

D. Virtual Machine Contributor

Answer: B (Contributor)

Explanation: The Contributor role allows a user to create and manage all resources in a resource group, including virtual machines. The Owner role gives the user full control over the entire subscription, which is typically not necessary for most users. The Reader role only allows the user to view resources, while the Virtual Machine Contributor role only allows the user to manage virtual machines, but not other resources.

Question: You need to give a service principal permission to read data in a storage account. Which role should you assign to the service principal?

A. Storage Account Contributor

B. Storage Account Reader

C. Storage Account Owner

D. Storage Account Data Access

Answer: B (Storage Account Reader)

Explanation: The Storage Account Reader role allows a user or service principal to view data in a storage account, but not modify it. The Storage Account Contributor role would allow the service principal to make changes to the storage account, which is not necessary if the goal is only to read data. The Storage Account Owner role gives full control over the storage account, which is also not necessary for this scenario. The Storage Account Data Access role does not exist.

Question: You want to create a custom role that allows a user to create virtual machines and manage network resources, but not modify other resources. Which permissions should you include in the custom role?

A. Microsoft.Compute/virtualMachines/*

B. Microsoft.Network/networkSecurityGroups/*

C. Microsoft.Resources/subscriptions/read

D. Microsoft.Storage/storageAccounts/*

Answer: A and B (Microsoft.Compute/virtualMachines/* and Microsoft.Network/networkSecurityGroups/*)

Explanation: To create a custom role that allows a user to create virtual machines and manage network resources, but not modify other resources, you should include the appropriate permissions for those resources. The Microsoft.Compute/virtualMachines/* permission allows the user to create and manage virtual machines, while the Microsoft.Network/networkSecurityGroups/* permission allows the user to manage network security groups. The Microsoft.Resources/subscriptions/read permission only allows the user to view the subscription, while the Microsoft.Storage/storageAccounts/* permission would allow the user to manage storage accounts, which is not necessary for this scenario.

Question: You need to revoke a user’s access to a specific resource group. Which action should you take?

A. Remove the user from the subscription.

B. Remove the user from the Contributor role in the subscription.

C. Remove the user from the Contributor role in the resource group.

D. Remove the user from the Owner role in the subscription.

Answer: C (Remove the user from the Contributor role in the resource group)

Explanation: To revoke a user’s access to a specific resource group, you should remove the user from the Contributor role in that resource group. Removing the user from the subscription or from the Contributor role in the subscription would revoke their access to all resources in the subscription, which is not necessary in this scenario. Removing the user from the Owner role in the subscription would also revoke their access to all resources in the subscription, and is typically not necessary for most users.

Reference: Microsoft Documentation

Prepare for Assured Success