add role assignment is disabled

Manage Azure Role Assignments Like a Pro with PowerShell

Today’s blog post is a little bit different. I have a couple of examples of how you can use PowerShell snippets and simple commandlets to get or set role assignmnets in your Azure Subscriptions.

PowerShell examples for managing Azure Role assignments

List all role assignments in a subscription, get all role assignments for a specific resource group, get all role assignments for a specific user, add a role assignment to a user, remove a role assignment for a user, remove all role assignments for a specific user, list all built-in roles, list all custom roles, create a custom role, update a custom role, delete a custom role, list all users or groups assigned to a specific role, list all permissions granted by a specific role, list all resource groups that a user has access to, create a role assignment for a service principal, powershell script to manage azure role assignments.

And now there is a script that combines some of these examples into one usable function:

I hope this was useful. Let me know if you liked the format of this blog and if you want me to include more of these examples.

Vukasin Terzic

Recent Update

• Writing your first Azure Terraform Configuration
• Transition from ARM Templates to Terraform with AI
• Getting started with Terraform for Azure
• Terraform Configuration Essentials: File Types, State Management, and Provider Selection
• Dynamically Managing Azure NSG Rules with PowerShell

Trending Tags

Retrieve azure resource group cost with powershell api.

The Future Of Azure Governance: Trends and Predictions

Further Reading

In my previous blog posts, I wrote about how simple PowerShell scripts can help speed up daily tasks for Azure administrators, and how you can convert them to your own API. One of these tasks is...

Azure Cost Optimization: 30 Ways to Save Money and Increase Efficiency

As organizations continue to migrate their applications and workloads to the cloud, managing and controlling cloud costs has become an increasingly critical issue. While Azure provides a robust s...

Custom PowerShell API for Azure Naming Policy

To continue our PowerShell API series, we have another example of a highly useful API that you can integrate into your environment. Choosing names for Azure resources can be a challenging task. ...

SOLVED: Azure Global Admin Cannot Add Roles in Access Control (IAM) Storage / Shares

Published by ian matthews on january 19, 2024 january 19, 2024.

We’ve recently had a client who was quite confused about what Global Admin rights actually provided for rights to their Azure account. They wanted a tech with Global Admin rights to add a ROLE ASSIGNMENT (i.e. give permission to access) an Azure File Share, but when they tried, they saw ADD ROLE ASSIGNMENT (link under ADD at the top of the page) was disabled and the ADD ROLE ASSIGNMENT button (at the bottom of the page) was grayed out.

Global Admin allows for full user and VM control, as well as the ability to add yourself to other roles… but Global Admin does not immediately provide access to all Azure Features. Fortunately, it is easy for Global Admin’s to expand their rights.

Access Control (IAM) activities in an Azure Subscription require you to be an Owner or User Access Administrator role in that Azure subscription. So Azure Global Admin’s have two easy options:

• Ask someone who is the OWNER or USER ACCESS ADMINISTRATOR to add them
• Become an Azure Subscription Administrator

The first option is pretty obvious so we will leave that one, but how to become a full Global Administrator is slightly more difficult.

How To Add an Azure Subscription Administrator

In our case, our client wanted their Global Administrator to be able to make permission changes to all of their Azure Storage accounts and all of their Azure File Shares. Here we show you how to elevate access to manage all Azure subscriptions and management groups.

• Sign into https://portal.azure.com
• Activate your Global Administrator via PIM
• Search for and click on MICROSOFT ENTRA ID (formerly Azure AD Active Directory)
• Click PROPERTIES, from the menu on the left
• Click the ACCESS MANAGEMENT FOR AZURE RESOURCES slider to YES
• Click SAVE button (bottom of the page

You have to wait about 2 minutes for this to fully take hold but after that you can simply refresh the page and you should then be able to access your and modify Access Management AIM in Azure File Shares or elsewhere, without problem.

SOLVED: How To Activate Global Administrator via Azure Privileged Identity Management (PIM) – Up & Running Technologies, Tech How To's · January 19, 2024 at 2:40 pm

[…] GLOBAL ADMINISTRATOR (or any other role you want), and click the ACTIVATE link in the ACTION […]

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Related Posts

SOLVED: What To Do About Azure Multi-Factor Authentication Server Being Depreciated Sept 30 2024

Many companies have been notified that the Azure Multifactor authentication server is being retired and for the vast majority of those companies there is absolutely nothing they should do, because they are not using it. Read more…

SOLVED: PowerShell MFA Popup ‘We can’t sign you in. Javascript is required to sign in’

If you are seeing this message when working on a PowerShell script that is trying to connect to a Microsoft service requiring MFA (multi factor authentication), you may notice that the window is actually Internet Read more…

SOLVED: PowerShell Script To Create VM Snapshots From ALL Azure Subscriptions and Resource Groups

We have a very popular article titled “SOLVED: PowerShell Script To Create VM Snapshots In Azure“. However, it doesn’t address larger clients who have multiple subscriptions. This article will give you script you need to Read more…

• Role Assignment using Azure Portal

Return to AZ-104 Tutorial

Before you learn to add or remove Azure role assignments using the Azure portal, it is very important to understand Azure Role-Based Access Control (RBAC). We may define Azure role-based access control (RBAC) is an authorization system that can be used to manage access to Azure resources. Now in order to grant access, you are required to assign roles to users, groups, service principals, or managed identities at a particular scope.

Prerequisites of Assigning Roles :

In order to add or remove role assignments, we are required are –

• Microsoft.Authorization/roleAssignments/write
• Microsoft.Authorization/roleAssignments/delete permissions (From User Access Administrator or Owner)

Access control (IAM)

IAM (Identity and Access Management) is a specified page for assigning roles and granting access to Azure resources. In the Azure portal, Access Control is also known as identity and access management.

Steps to Add a Role Assignment

In Azure role-based access control (RBAC), in order to grant access to an Azure resource, you must add a role assignment. We shall now discuss the steps to add a role assignment.

• First Step – In the Azure portal, we will click on All services and then select the scope that we want to grant access to namely, Management groups, Subscriptions, Resource groups, or a resource.
• Second Step – We should then Click the specific resource for that scope.
• Third Step – Now Click Access control (IAM).
• Fourth Step – In this step we will click the Role assignments tab to view the role assignments at this scope.
• Fifth Step – Now Click Add > Add role assignment. But in case you do not have permissions to assign roles, the Add role assignment option will be disabled.
• Sixth Step – In the Role drop-down list, select a role such as Virtual Machine Contributor.
• Seventh Step – In this step we will select a user, group, service principal, or managed identity. Then in the Select list, in case, we do not find the security principal in the list, next we can type in the Select box to search the directory for display names, email addresses, and object identifiers.
• Eighth Step – Click Save to assign the role. After a few moments, the security principal is assigned the role at the selected scope.

Steps to Add a role assignment for a managed identity

In this topic, we will describe an alternate way to add role assignments for a managed identity. Thereby, using these steps, you start with the managed identity and then select the scope and role.

• Firstly, in the Azure portal, open a system-assigned managed identity.
• Then, in the left menu, click Identity.
• Next, under Permissions, click Azure role assignments. If roles are already assigned to the selected system-assigned managed identity, you see the list of role assignments. This list includes all role assignments you have permission to read.
• Now, to change the subscription, click the Subscription list.
• Then click Add role assignment (Preview).
• In this step, use the drop-down lists to select the set of resources that the role assignment applies to such as Subscription, Resource Group, or resource. But in case you do not have role assignment write permissions for the selected scope, then an inline message will be displayed.
• Select a role such as Virtual Machine Contributor, in the Role drop-down list.
• Lastly, Click Save to assign the role.

Steps to Remove a Role Assignment

In order to remove access from an Azure resource, in Azure RBAC we must remove a role assignment.

• The first step we will first Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.
• In the second step, click the Role assignments tab to view all the role assignments for this subscription.
• Next in the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.
• Now Click Remove.
• Lastly, in the remove role assignment message that appears, click Yes.

Note – Any message displaying that inherited role assignments cannot be removed, indicates that you are trying to remove a role assignment at a child scope. In this case, you must open Access control (IAM) at the scope where the role was assigned and then try again.

Reference:  Microsoft Documentation

Prepare for Assured Success

• TECHNOLOGIES
• An Interview Question

Manage Azure Subscription Owners: Add and Remove User Access

• Abdul Basith
• Dec 26, 2023
• Other Artcile

Giving and taking away elevated privileges inside the Azure environment is what it means to designate and remove a user as an Owner of an Azure subscription. An owner has complete control over the subscription, including the ability to regulate resources, configurations, and user access.

Risks/Customer Impact

• Unauthorized Access: Granting unnecessary permissions may lead to unauthorized access and potential security breaches.
• Role Misconfiguration: Incorrectly configuring roles can expose sensitive resources or data.
• Incorrectly removing roles can result in restricted access, affecting operations.

Assign a user as an Owner of an Azure subscription

Step 1. open the subscription.

• Sign in to the Azure portal.
• In the Search box at the top, search for subscriptions.
• Click the subscription you want to use.

The following shows an example subscription.

Step 2. Open the Add role assignment page

The page that you usually use to assign roles in order to provide access to Azure resources is called Access Control (IAM). Click Access Control (IAM).

The following shows an example of the Access control (IAM) page for a subscription.

Click the Role Assignments tab to view the role assignments at this scope.

Click Add > Add role assignment.

If you don't have permission to assign roles, the Add role assignment option will be disabled.

The Add Role assignment page opens.

Step 3. Select the Owner role

The Owner role grants full access to manage all resources, including the ability to assign roles in Azure RBAC

On the Role tab, select the Privileged administrator roles tab.

Select the Owner role.

Step 4. Select who needs access

Click Select members.

Find and select the user.

You can type in the Select box to search the directory for the display name or email address.

Click Save to add the user to the Members list.

In the Description box, enter an optional description for this role assignment.

Added By Abdul Basith, 

Later you can show this description in the role assignments list.

Select Not Constrained and Click Next.

Step 5.  Assign role

• On the Review + Assign tab, review the role assignment settings.
• Click Review + Assign to assign the role.

After a few moments, the user is assigned the Owner role for the subscription.

Remove a user as an Owner of an Azure subscription

• Search for “subscriptions” in the search box at the top and click on the subscription you want to use

Click on “Access control (IAM)” and then click on the “Role assignments” tab.

Step 3. Remove the Role assignment

Find the user you want to remove, put a tick on the box near their name, and click Remove.

Then click on “Yes” to confirm.

In the Notifications, you can see it’s successfully removed.

Verification Process/Procedure

Adding: After being added as the owner of the subscription, you can verify this by navigating to IAM > Role Assignments. In the "Owner" tab, you should be able to observe the newly added role assignment.

Removing: After being removed as the owner of the subscription, you can verify this by navigating to IAM > Role Assignments. In the "Owner" tab, you should no longer see the role assignment associated with that account.

Abbreviations/Term Definitions

• IAM: Identity and Access Management
• RBAC: Role-Based Access Control
• PIM: Privileged Identity Management

Related Documentation

• Assign a user as an administrator of an Azure subscription - Azure RBAC | Microsoft Learn
• Remove Azure role assignments - Azure RBAC | Microsoft Learn
• Azure Subscription
• Role Assignment
• Role-Based Access Control

Azure DevOps - Complete CI-CD Pipeline

61170/assignment-option-disabled-while-trying-assign-using-portal

• Cloud Computing
• Add role assignment option is disabled while...

Add role assignment option is disabled while trying to assign a role to a user using portal

• cloud-computing
• microsoft-azure
• azure-management
• azure-portal

Your comment on this question:

1 answer to this question.

Your answer.

If you don't have permissions to assign roles, the Add role assignment option will be disabled. 

To add or remove role assignments, you must have:

Microsoft.Authorization/roleAssignments/write  

Microsoft.Authorization/roleAssignments/delete  permissions, such as User Access Administrator or Owner

Ensure you have these permissions. 

• ask related question

Your comment on this answer:

Related questions in azure, how to add a body to a httpwebrequest that is being used with the azure service management api.

The following code should help: byte[] buf = ... READ MORE

• cloudcomputing
• azure-career

Unable to update an existing custom role using Azure portal.

If you are unable to update an ... READ MORE

Can't create a new resource group using Azure portal despite of having owner role assigned.

It is a by design behavior because ... READ MORE

Failed to get access token by using service principal. ADAL Error: service_unavailable while trying copy activity using datafactory

When the Service Token Server (STS) owned ... READ MORE

• azure-datafactory

How do I change the time duration to prevent sign out from azure portal due to inactivity?

The inactivity timeout setting helps to protect ... READ MORE

Is it possible to override default inactive timeout setting enabled by the admin?

Yes, If an admin has made a ... READ MORE

How to set a directory level inactivity timeout for the azure portal?

If you’re an admin, and you want ... READ MORE

Disable pop-up notifications on the azure portal.

To disable pop-up notifications, de-select the Enable pop-up notifications checkbox. This ... READ MORE

How do I assign a role to a particular user using the Azure portal?

Follow these steps to assign a role ... READ MORE

"No more role assignments can be created (code: RoleAssignmentLimitExceeded)" while trying to assign roles using azure portal.

If you get this error message try to reduce ... READ MORE

• All categories

Join the world's most active Tech Community!

Welcome back to the world's most active tech community.

At least 1 upper-case and 1 lower-case letter

Minimum 8 characters and Maximum 50 characters

Subscribe to our Newsletter, and get personalized recommendations.

Already have an account? Sign in .

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Understand Azure role assignments

• 3 contributors

Role assignments enable you to grant a principal (such as a user, a group, a managed identity, or a service principal) access to a specific Azure resource. This article describes the details of role assignments.

Role assignment

Access to Azure resources is granted by creating a role assignment, and access is revoked by removing a role assignment.

A role assignment has several components, including:

• The principal , or who is assigned the role.
• The role that they're assigned.
• The scope at which the role is assigned.
• The name of the role assignment, and a description that helps you to explain why the role has been assigned.

For example, you can use Azure RBAC to assign roles like:

• User Sally has owner access to the storage account contoso123 in the resource group ContosoStorage .
• Everybody in the Cloud Administrators group in Microsoft Entra ID has reader access to all resources in the resource group ContosoStorage .
• The managed identity associated with an application is allowed to restart virtual machines within Contoso's subscription.

The following shows an example of the properties in a role assignment when displayed using Azure PowerShell :

The following shows an example of the properties in a role assignment when displayed using the Azure CLI , or the REST API :

The following table describes what the role assignment properties mean.

When you create a role assignment, you need to specify the scope at which it's applied. The scope represents the resource, or set of resources, that the principal is allowed to access. You can scope a role assignment to a single resource, a resource group, a subscription, or a management group.

Use the smallest scope that you need to meet your requirements.

For example, if you need to grant a managed identity access to a single storage account, it's good security practice to create the role assignment at the scope of the storage account, not at the resource group or subscription scope.

For more information about scope, see Understand scope .

Role to assign

A role assignment is associated with a role definition. The role definition specifies the permissions that the principal should have within the role assignment's scope.

You can assign a built-in role definition or a custom role definition. When you create a role assignment, some tooling requires that you use the role definition ID while other tooling allows you to provide the name of the role.

For more information about role definitions, see Understand role definitions .

Principals include users, security groups, managed identities, workload identities, and service principals. Principals are created and managed in your Microsoft Entra tenant. You can assign a role to any principal. Use the Microsoft Entra ID object ID to identify the principal that you want to assign the role to.

When you create a role assignment by using Azure PowerShell, the Azure CLI, Bicep, or another infrastructure as code (IaC) technology, you specify the principal type . Principal types include User , Group , and ServicePrincipal . It's important to specify the correct principal type. Otherwise, you might get intermittent deployment errors, especially when you work with service principals and managed identities.

A role assignment's resource name must be a globally unique identifier (GUID).

Role assignment resource names must be unique within the Microsoft Entra tenant, even if the scope of the role assignment is narrower.

When you create a role assignment by using the Azure portal, Azure PowerShell, or the Azure CLI, the creation process gives the role assignment a unique name for you automatically.

If you create a role assignment by using Bicep or another infrastructure as code (IaC) technology, you need to carefully plan how you name your role assignments. For more information, see Create Azure RBAC resources by using Bicep .

Resource deletion behavior

When you delete a user, group, service principal, or managed identity from Microsoft Entra ID, it's a good practice to delete any role assignments. They aren't deleted automatically. Any role assignments that refer to a deleted principal ID become invalid.

If you try to reuse a role assignment's name for another role assignment, the deployment will fail. This issue is more likely to occur when you use Bicep or an Azure Resource Manager template (ARM template) to deploy your role assignments, because you have to explicitly set the role assignment name when you use these tools. To work around this behavior, you should either remove the old role assignment before you recreate it, or ensure that you use a unique name when you deploy a new role assignment.

Description

You can add a text description to a role assignment. While descriptions are optional, it's a good practice to add them to your role assignments. Provide a short justification for why the principal needs the assigned role. When somebody audits the role assignments, descriptions can help to understand why they've been created and whether they're still applicable.

Some roles support role assignment conditions based on attributes in the context of specific actions. A role assignment condition is an additional check that you can optionally add to your role assignment to provide more fine-grained access control.

For example, you can add a condition that requires an object to have a specific tag for the user to read the object.

You typically build conditions using a visual condition editor, but here's what an example condition looks like in code:

The preceding condition allows users to read blobs with a blob index tag key of Project and a value of Cascade .

For more information about conditions, see What is Azure attribute-based access control (Azure ABAC)?

Integration with Privileged Identity Management (Preview)

Azure role assignment integration with Privileged Identity Management is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

If you have a Microsoft Entra ID P2 or Microsoft Entra ID Governance license, Microsoft Entra Privileged Identity Management (PIM) is integrated into role assignment steps. For example, you can assign roles to users for a limited period of time. You can also make users eligible for role assignments so that they must activate to use the role, such as request approval. Eligible role assignments provide just-in-time access to a role for a limited period of time. You can't create eligible role assignments for applications, service principals, or managed identities because they can't perform the activation steps. You can create eligible role assignments at management group, subscription, and resource group scope, but not at resource scope. This capability is being deployed in stages, so it might not be available yet in your tenant or your interface might look different.

The assignment type options available to you might vary depending or your PIM policy. For example, PIM policy defines whether permanent assignments can be created, maximum duration for time-bound assignments, roles activations requirements (approval, multifactor authentication, or Conditional Access authentication context), and other settings. For more information, see Configure Azure resource role settings in Privileged Identity Management .

To better understand PIM, you should review the following terms.

For more information, see What is Microsoft Entra Privileged Identity Management? .

• Delegate Azure access management to others
• Steps to assign an Azure role

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

Azure Blob Storage: Add role assignment issue

In Azure DevOps, I have created a service connection (type: Azure Resource Manager) to be able to upload files to Azure Blob Storage.

Then I have added the Storage Blob Data Contributor role for this service principal under Access Control (IAM) in my Azure Storage account by searching for the service principal's name under Select .

I have noticed that each time I create a new DevOps pipeline that uses the (same) service connection, I need to add the Storage Blob Data Contributor role again because under Select , there are then multiple items with the same (service principal's) name. It's not clear why there are multiple items and it's also unclear which one is the newest, such that I am just adding all items as a workaround.

Is there anything that I am missing to avoid ending up with dozens of items to select when assigning roles for a new pipeline that uses the same service connection?

• azure-devops
• azure-blob-storage
• role-based-access-control

• It's not clear why there are multiple items and it's also unclear which one is the newest. Looks like service principals are created with the same display name (even though the client ids are different). That's the reason why duplicate items are shown during the role assignment. –  Lav G Commented Mar 17, 2020 at 13:32
• May I know what's the status of this before the weekend? Does configure the service connection with full parameters can let you avoid this trouble? Free to comment below if you has any puzzle with that:-) –  Mengdi Liang Commented Mar 20, 2020 at 8:12

As design, one service connection map to one single service principal.

You issue mostly like you did not ever assign the actual service principal id to that service connection while you configure it. When the system finds there is no principal there, it will automatically create one for it in azure.

Please give the full parameters value there, including service principal id and secret , when you create the service connection.

Then you can just grant the permission to the currently used service principal.

• I have tried to find the dialog box that your screenshot shows and came across this page , however, this information is outdated and I can no longer switch from the simplified to the full view (which I believe is what your screenshot is showing) when configuring a service connection for Azure Resource Manager using service principal (automatic or manual). –  Andreas Hessenthaler Commented Mar 25, 2020 at 8:14
• @AndreasHessenthaler. I guess you enabled the new feature of service connection? If this, please check this: imgur.com/a/Bn7F4gb –  Mengdi Liang Commented Mar 25, 2020 at 8:30

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged azure azure-devops azure-blob-storage role-based-access-control or ask your own question .

• The Overflow Blog
• Scaling systems to manage all the metadata ABOUT the data
• Navigating cities of code with Norris Numbers
• Featured on Meta
• We've made changes to our Terms of Service & Privacy Policy - July 2024
• Bringing clarity to status tag usage on meta sites
• Tag hover experiment wrap-up and next steps

Hot Network Questions

• Communicate the intention to resign
• Short story about a committee planning to eliminate 1 in 10 people
• Why did evolution fail to protect humans against sun?
• Why does Air Force Two lack a tail number?
• Ai-Voice cloning Scam?
• What was I thinking when I drew this diagram?
• Language inconsistency in The Expanse
• If there is no free will, doesn't that provide a framework for an ethical model?
• Erase the loops
• A burning devil shape rises into the sky like a sun
• Why do instructions for various goods sold in EU nowadays lack pages in English?
• How can we objectively measure the similarity between two scatter plots whose coordinates are known?
• What is the lowest feasible depth for lightly-armed military submarines designed around the 1950s-60s?
• Density of perfect numbers
• What is this fruit from Cambodia? (orange skin, 3cm, orange juicy flesh, very stick white substance)
• Union of lists with original order
• Someone wants to pay me to be his texting buddy. How am I being scammed?
• I need to better understand this clause in an independent contract agreement for Waiverability:
• Can a Statute of Limitations claim be rejected by the court?
• Are there rules of when there is linking-sound compound words?
• Claims of "badness" without a moral framework?
• Decent 900 MHz radome material from a hardware store
• A study on the speed of gravity
• Will The Cluster World hold onto an atmosphere for a useful length of time without further intervention?