Back to Blog

Using the Azure CLI To Update and Manage User Permissions

The Azure CLI is a great tool for scripting updates to user permissions. In this guide, we'll walk through the basics of roles and groups and the common commands.

azure logo

If you need to make user permission updates in an automated way, the Azure CLI can be a great option. In this article, we will be outlining the two main sources of user permissions, roles and groups, and how they intersect.

With a combination of roles and groups, you can maintain granular permissions across many different projects while adhering to the principle of least privilege.

Understanding Roles with Azure RBAC

Azure roles are a flexible way to designate user permissions. With Azure RBAC (role-based access control), you can unlock access to certain resources and actions by assigning a user to a certain role, which comes with an accompanying set of permissions.

These are some examples of common built-in roles: 

  • Contributor: Can create and manage Azure resources
  • Owner: Access to all resources and can extend access to others
  • Reader: Can view only existing Azure resources
  • User Access Administrator: Can manage access to Azure resources

You can narrow access further by assigning a user with a role in relation to a specific scope (e.g. resource group, application id, etc.). If you need a unique combination of permissions and expect to have similar use cases in the future, you can also create custom roles by providing either a JSON role definition file or a PSRoleDefinition object as input.

Assigning Roles with the Azure CLI

You will likely need to update someone’s role if they are new to your organization or have been assigned to a new project; or inversely, if they are leaving or no longer need access. Here are the steps for making these changes with the Azure CLI.

Adding a Role to a User

To assign a role to a user in Azure, you can use the “az role assignment create” command. You have to specify three components, the assignee, the role, and the resource groups or scope of access. In the following example, we’re assigning Reader access (role definition) to user John Smith for the scope of a certain resource group.

az role assignment create --assignee "john.smith@acme.com" \
--role "Reader" \
--resource-group "Acme-Group-1"

Removing a Role from a User

Next, to remove the role from the same user, we would use the “az role assignment delete” command. This command uses the exact same parameters:

az role assignment delete --assignee "john.smith@acme.com" \
--role "Reader" \
--resource-group "Acme-Group-1"

These commands should enable you to make these role updates manually, or script a repeatable workflow for new employees or new projects.

Understanding Groups in Azure 

In GCP or AWS, Identify Access Management (IAM) groups are a way to extend access and authorization services/APIs to a team. Groups in Azure serve the same purpose, but Azure is slightly different in that groups are created directly using Azure’s Active Directory (AD). 

You can create a new group using the command az ad group create, and specify a display name and a mail nickname. Here’s an example:

az ad group create --display-name AcmeGroupA 
--mail-nickname AcmeGroupA

Management of IAM groups in Azure involves the same kinds of tasks you would perform in typical user groups, whether it’s adding or deleting individual users, giving them specific levels of IAM permissions, or managing groups of users as a whole, among many others.

For example, you can assign a group with a certain role for a certain scope or resource group. To do this, you’ll first need to get the object ID for the group using this command:

az ad group show --group "AcmeGroupA" --query "id" --output tsv

The object ID will be a string of numbers in this format:

“xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”

Now that you have the group ID, you can use the “az role assignment create” command to assign a role to that group:

az role assignment create --assignee "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
--role "Contributor" \
--resource-group "Acme-Group-2"

The combination of user roles and group roles allows for organizations to have a flexible and secure solution for permissions as your company grows or projects change.

Adding or Removing a Users to Groups

If you want to add a user to a group, you’ll need to run the az ad group member add  command. You will need to plug in values for a group parameter (either the specific group id or display name) and a member-id parameter.

Here is an example of that command:

az ad group member add --group AcmeGroupA
            --member-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Removing a member from a group uses the same parameters, and uses the az ad group member remove command instead:

az ad group member remove --group AcmeGroupA
            --member-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

You can also use the same parameters with the az ad group member check command to check whether the member was removed from the group.

Automate Permission Updates with Blink

Most likely, as your organization grows, changing and updating permissions and policies will take up more time. Instead of having to look up the specific command for each of these actions, you could use a low-code tool like Blink to handle tasks like this in a couple clicks.

Get started and create your free Blink account today.

Simplify your cloud operations

Sign up for Blink today

Transform your cloud operations today with a library of purpose-built DevOps and SecOps playbooks and hundreds of integrations.

Sign up