az role assignment create

Create a new role assignment for a principal at a specified scope.

Syntax

az role assignment create 
    --assignee <principal>
    --role <roleName|roleId>
    [--scope <scope>]
    [--resource-group <resourceGroup>]
    [--subscription <subscriptionId>]
    [--condition <condition>]
    [--condition-version <conditionVersion>]
    [--description <description>]
    [--output <format>]

Parameters

ParameterTypeDescription
--assigneestringObject ID, user sign-in name, service principal name, or security group ID.
--rolestringRole name or ID. Use az role definition list for the full list.
--scopestringScope at which the role assignment applies. Default is the subscription.
--resource-groupstringAssign to a resource group. Mutually exclusive with --scope.
--subscriptionstringSubscription ID or name. Overrides default subscription.
--conditionstringConditional expression for the assignment (Preview).
--condition-versionstringVersion of the condition language. Default: 2.0.
--descriptionstringHuman readable description of the assignment.
--outputstringOutput format. json (default), table, tsv, etc.

Examples

1. Assign Reader role to a user at subscription level

az role assignment create \
  --assignee john.doe@contoso.com \
  --role Reader

2. Assign a custom role to a service principal at a resource group

az role assignment create \
  --assignee 11111111-2222-3333-4444-555555555555 \
  --role "My Custom Role" \
  --resource-group MyResourceGroup

3. Assign a role with a condition (preview)

az role assignment create \
  --assignee appId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
  --role "Storage Blob Data Contributor" \
  --scope /subscriptions/xxxx-xxxx-xxxx/resourceGroups/MyRG/providers/Microsoft.Storage/storageAccounts/myaccount \
  --condition "storageAccount.name == 'myaccount'" \
  --condition-version 2.0

Notes

See also