Azure RBAC Built-in Roles Reference

Common Azure built-in role names with scope levels and permission summary.

Searchable Azure RBAC built-in role reference covering Owner, Contributor, Reader and service-specific roles for Storage, Key Vault, VMs and AKS with scope and assignment notes. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What is the difference between Owner, Contributor and Reader?

Owner has full access including managing other users' access (role assignments). Contributor can create and manage all resource types but cannot grant access to others. Reader can only view resources. All three are management-plane roles and do not by themselves grant data-plane access like reading blob contents.

Azure RBAC built-in roles

Azure role-based access control (RBAC) grants access by assigning a role definition to a security principal (user, group, managed identity, or service principal) at a scope (management group, subscription, resource group, or individual resource). Built-in roles are Microsoft-maintained definitions that cover generic management (Owner, Contributor, Reader) and service-specific data access. This reference lists the most commonly used ones, their typical scope, and whether they act on the management or data plane.

Management plane vs data plane — the critical distinction

Azure separates two planes, and this is the most common source of least-privilege mistakes:

PlaneWhat it controlsExample roles
Management planeThe Azure resource object itself — create, configure, update, deleteOwner, Contributor, Reader
Data planeThe contents inside the resource — blobs, secrets, keys, messagesStorage Blob Data Contributor, Key Vault Secrets User

A user with Contributor on a storage account can create the account, change its settings, and view its access keys — but accessing the actual blobs requires a data-plane role like Storage Blob Data Contributor. This separation lets you manage infrastructure without ever touching the data it holds.

Scope inheritance

Assignments apply at a scope and inherit downward:

Management Group
  └── Subscription
        └── Resource Group
              └── Individual Resource

A role assigned at the resource group level is inherited by every resource inside that group. Always assign at the narrowest scope a principal actually needs.

How to assign a role

az role assignment create \
  --assignee [email protected] \
  --role "Storage Blob Data Reader" \
  --scope "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<acct>"

To inspect what a role permits exactly:

az role definition list --name "Storage Blob Data Reader" --output json

Common role selection guide

ScenarioRecommended role
Full resource + access managementOwner
Create and manage resources, no access grantsContributor
View resources only, no changesReader
Read blobs in a storage accountStorage Blob Data Reader
Read and write blobsStorage Blob Data Contributor
Delegate access without managing resourcesUser Access Administrator
Read Key Vault secretsKey Vault Secrets User
Manage Key Vault secrets (create, update, delete)Key Vault Secrets Officer
Use cryptographic keys (sign, verify, encrypt)Key Vault Crypto User
All Key Vault data operationsKey Vault Administrator
Deploy to AKS without cluster-adminAKS Cluster User Role
View AKS cluster configAKS Cluster Monitoring User

Common RBAC mistakes

  • Assigning Contributor at the subscription scope when only one resource group is needed — blast radius is much larger than intended.
  • Assuming Owner grants access to blob data — it does not; add a data-plane role separately.
  • Assigning a data-plane role expecting it to manage the resource configuration — data roles only cover contents, not resource settings.
  • Forgetting that role propagation can take a few minutes to replicate globally after assignment.

Search the reference below by role name or service to find the exact built-in role for your scenario.