Azure RBAC built-in roles
Azure role-based access control (RBAC) grants access by assigning a role definition to a security principal (user, group, managed identity, or service principal) at a scope (management group, subscription, resource group, or individual resource). Built-in roles are Microsoft-maintained definitions that cover generic management (Owner, Contributor, Reader) and service-specific data access. This reference lists the most commonly used ones, their typical scope, and whether they act on the management or data plane.
Management plane vs data plane — the critical distinction
Azure separates two planes, and this is the most common source of least-privilege mistakes:
| Plane | What it controls | Example roles |
|---|---|---|
| Management plane | The Azure resource object itself — create, configure, update, delete | Owner, Contributor, Reader |
| Data plane | The contents inside the resource — blobs, secrets, keys, messages | Storage Blob Data Contributor, Key Vault Secrets User |
A user with Contributor on a storage account can create the account, change its settings, and view its access keys — but accessing the actual blobs requires a data-plane role like Storage Blob Data Contributor. This separation lets you manage infrastructure without ever touching the data it holds.
Scope inheritance
Assignments apply at a scope and inherit downward:
Management Group
└── Subscription
└── Resource Group
└── Individual Resource
A role assigned at the resource group level is inherited by every resource inside that group. Always assign at the narrowest scope a principal actually needs.
How to assign a role
az role assignment create \
--assignee [email protected] \
--role "Storage Blob Data Reader" \
--scope "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<acct>"
To inspect what a role permits exactly:
az role definition list --name "Storage Blob Data Reader" --output json
Common role selection guide
| Scenario | Recommended role |
|---|---|
| Full resource + access management | Owner |
| Create and manage resources, no access grants | Contributor |
| View resources only, no changes | Reader |
| Read blobs in a storage account | Storage Blob Data Reader |
| Read and write blobs | Storage Blob Data Contributor |
| Delegate access without managing resources | User Access Administrator |
| Read Key Vault secrets | Key Vault Secrets User |
| Manage Key Vault secrets (create, update, delete) | Key Vault Secrets Officer |
| Use cryptographic keys (sign, verify, encrypt) | Key Vault Crypto User |
| All Key Vault data operations | Key Vault Administrator |
| Deploy to AKS without cluster-admin | AKS Cluster User Role |
| View AKS cluster config | AKS Cluster Monitoring User |
Common RBAC mistakes
- Assigning Contributor at the subscription scope when only one resource group is needed — blast radius is much larger than intended.
- Assuming Owner grants access to blob data — it does not; add a data-plane role separately.
- Assigning a data-plane role expecting it to manage the resource configuration — data roles only cover contents, not resource settings.
- Forgetting that role propagation can take a few minutes to replicate globally after assignment.
Search the reference below by role name or service to find the exact built-in role for your scenario.