microsoftdocs/azure-rbac
skills/azure-rbac/SKILL.md
Expert knowledge for Azure Role-based access control development including troubleshooting, best practices, decision making, limits & quotas, security, configuration, and integrations & coding patterns. Use when managing Azure RBAC roles, ABAC conditions, PIM, custom role definitions, or role assignments via CLI/ARM, and other Azure Role-based access control related development tasks. Not for Azure Active Directory B2C (use azure-active-directory-b2c), Azure Information Protection (use azure-information-protection), Azure Policy (use azure-policy), Azure Security (use azure-security).
$ install --global
skillsauthnpx skillsauth add microsoftdocs/agent-skills azure-rbacInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 26, 2026, 7:08 AM129.9s1 file scanned
SKILL.md
- name:
- azure-rbac
- description:
- Expert knowledge for Azure Role-based access control development including troubleshooting, best practices, decision making, limits & quotas, security, configuration, and integrations & coding patterns. Use when managing Azure RBAC roles, ABAC conditions, PIM, custom role definitions, or role assignments via CLI/ARM, and other Azure Role-based access control related development tasks. Not for Azure Active Directory B2C (use azure-active-directory-b2c), Azure Information Protection (use azure-information-protection), Azure Policy (use azure-policy), Azure Security (use azure-security).
- compatibility:
- Requires network access. Uses mcp_microsoftdocs:microsoft_docs_fetch or fetch_webpage to retrieve documentation.
- generated_at:
- 2026-05-10
- generator:
- docs2skills/1.0.0
Azure Role-based access control Skill
This skill provides expert guidance for Azure Role-based access control. Covers troubleshooting, best practices, decision making, limits & quotas, security, configuration, and integrations & coding patterns. It combines local quick-reference content with remote documentation fetching capabilities.
How to Use This Skill
IMPORTANT for Agent: Use the Category Index below to locate relevant sections. For categories with line ranges (e.g.,
L35-L120), useread_filewith the specified lines. For categories with file links (e.g.,[security.md](security.md)), useread_fileon the linked reference file
IMPORTANT for Agent: If
metadata.generated_atis more than 3 months old, suggest the user pull the latest version from the repository. Ifmcp_microsoftdocstools are not available, suggest the user install it: Installation Guide
This skill requires network access to fetch documentation content:
- Preferred: Use
mcp_microsoftdocs:microsoft_docs_fetchwith query stringfrom=learn-agent-skill. Returns Markdown. - Fallback: Use
fetch_webpagewith query stringfrom=learn-agent-skill&accept=text/markdown. Returns Markdown.
Category Index
| Category | Lines | Description | |----------|-------|-------------| | Troubleshooting | L35-L43 | Diagnosing and fixing Azure RBAC problems: activity log auditing, role/condition errors, assignment condition troubleshooting, and limits for built‑in and custom roles. | | Best Practices | L44-L50 | Security-focused guidance on designing Azure RBAC: choosing scopes, delegating access with ABAC conditions, and applying least privilege and separation-of-duties best practices. | | Decision Making | L51-L56 | Guidance on choosing and migrating role models: moving from classic admins to RBAC, scaling with ABAC, selecting Azure vs Entra vs classic roles, and transferring subscriptions between directories. | | Limits & Quotas | L57-L62 | Designing and managing Azure RBAC custom roles, including understanding role structure, permissions, and step-by-step creation using the Azure portal | | Security | L63-L129 | Azure RBAC roles, permissions, ABAC conditions, custom roles, and PIM: how to assign, secure, scope, and audit access to Azure resources across all service categories. | | Configuration | L130-L140 | Configuring Azure RBAC/ABAC: prerequisites, condition syntax, role assignments, built‑in vs custom roles, and creating/inspecting custom role definitions via CLI and PowerShell | | Integrations & Coding Patterns | L141-L156 | How to assign, list, and query Azure RBAC role assignments using CLI, PowerShell, portal, REST, ARM/Bicep templates, including managed identities and group-based access. |
Troubleshooting
| Topic | URL | |-------|-----| | Audit Azure RBAC changes using Activity Log | https://learn.microsoft.com/en-us/azure/role-based-access-control/change-history-report | | Resolve common issues with Azure RBAC conditions | https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-faq | | Troubleshoot Azure RBAC role assignment conditions | https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-troubleshoot | | Resolve Azure RBAC role and custom role limit issues | https://learn.microsoft.com/en-us/azure/role-based-access-control/troubleshoot-limits | | Diagnose and resolve common Azure RBAC issues | https://learn.microsoft.com/en-us/azure/role-based-access-control/troubleshooting |
Best Practices
| Topic | URL | |-------|-----| | Apply security-focused best practices for Azure RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/best-practices | | Example patterns for delegating RBAC with ABAC conditions | https://learn.microsoft.com/en-us/azure/role-based-access-control/delegate-role-assignments-examples | | Choose appropriate Azure RBAC scopes for access | https://learn.microsoft.com/en-us/azure/role-based-access-control/scope-overview |
Decision Making
| Topic | URL | |-------|-----| | Scale Azure RBAC assignments using ABAC and attributes | https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-custom-security-attributes-example | | Transfer Azure subscriptions between Entra directories | https://learn.microsoft.com/en-us/azure/role-based-access-control/transfer-subscription |
Limits & Quotas
| Topic | URL | |-------|-----| | Understand and configure Azure RBAC custom roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles | | Create Azure custom roles in the portal | https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal |
Security
| Topic | URL | |-------|-----| | Reference Azure RBAC built-in roles and permissions | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles | | Use AI and machine learning Azure RBAC roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/ai-machine-learning | | Assign analytics Azure RBAC built-in roles and permissions | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/analytics | | Assign compute-focused Azure RBAC built-in roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/compute | | Control container workloads with Azure RBAC roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/containers | | Secure database resources using Azure RBAC roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/databases | | Apply DevOps Azure RBAC built-in roles and permissions | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/devops | | Apply general-purpose Azure RBAC built-in roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/general | | Use RBAC roles for hybrid and multicloud | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/hybrid-multicloud | | Reference identity-focused Azure RBAC built-in roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/identity | | Configure integration workloads with Azure RBAC roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/integration | | Manage IoT access with Azure RBAC built-in roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/internet-of-things | | Use RBAC roles for management and governance | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/management-and-governance | | Use Azure RBAC built-in migration roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/migration | | Use Azure RBAC built-in monitor roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/monitor | | Use networking Azure RBAC built-in roles and scopes | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/networking | | Use privileged Azure RBAC built-in roles securely | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/privileged | | Use security-category Azure RBAC built-in roles safely | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/security | | Configure storage access with Azure RBAC roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage | | Manage web and mobile access via Azure RBAC roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/web-and-mobile | | Use authorization actions and attributes in Azure ABAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-authorization-actions-attributes | | Restrict blob read access using tags and ABAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-custom-security-attributes | | Manage Azure RBAC conditions using Azure CLI | https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-role-assignments-cli | | Configure Azure RBAC role assignment conditions in portal | https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-role-assignments-portal | | Manage Azure RBAC conditions using PowerShell | https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-role-assignments-powershell | | Manage Azure RBAC conditions via REST API | https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-role-assignments-rest | | Define Azure RBAC conditions in ARM templates | https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-role-assignments-template | | Define Azure custom roles using Bicep | https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-bicep | | Manage Azure custom roles using Azure CLI | https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-cli | | Manage Azure custom roles using PowerShell | https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-powershell | | Manage Azure custom roles via REST API | https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-rest | | Define Azure custom roles with ARM templates | https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-template | | Delegate Azure role assignments with ABAC conditions | https://learn.microsoft.com/en-us/azure/role-based-access-control/delegate-role-assignments-portal | | List and understand Azure RBAC deny assignments | https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments | | Elevate Global Administrator access to all subscriptions | https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin | | Use AI and ML permissions in Azure RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/ai-machine-learning | | Use analytics permissions in Azure RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/analytics | | Use compute permissions in Azure RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute | | Use container permissions in Azure RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/containers | | Use database permissions in Azure RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/databases | | Use DevOps permissions in Azure RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/devops | | Use general-category Azure RBAC permissions | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/general | | Use hybrid and multicloud permissions in RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/hybrid-multicloud | | Use identity permissions in Azure RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/identity | | Use integration permissions in Azure RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration | | Use IoT permissions in Azure RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/internet-of-things | | Use management and governance permissions in RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/management-and-governance | | Use migration permissions in Azure RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/migration | | Use monitor permissions in Azure RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/monitor | | Use networking permissions in Azure RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/networking | | Use security-category permissions in Azure RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/security | | Use storage permissions in Azure RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/storage | | Use web and mobile permissions in RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/web-and-mobile | | Use PIM for eligible and time-bound Azure RBAC roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/pim-integration | | Apply Azure RBAC built-in policy definitions | https://learn.microsoft.com/en-us/azure/role-based-access-control/policy-reference | | Choose between Azure RBAC, Entra, and classic admin roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles | | Reference Azure resource provider permissions for RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations | | Alert on privileged Azure RBAC role assignments | https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-alert | | Activate eligible Azure RBAC roles in the portal | https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-eligible-activate | | Assign Azure RBAC roles to external B2B users | https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-external-users | | Assign Azure RBAC roles in Azure portal | https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal | | Assign subscription Owner with constrained RBAC conditions | https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-subscription-admin | | Apply Azure Policy compliance controls to Azure RBAC | https://learn.microsoft.com/en-us/azure/role-based-access-control/security-controls-policy |
Configuration
| Topic | URL | |-------|-----| | Author Azure RBAC condition expressions and syntax | https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-format | | Meet prerequisites to use Azure RBAC conditions | https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-prerequisites | | Configure and interpret Azure RBAC role assignments | https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments | | Understand and configure Azure RBAC role definitions | https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions | | List and inspect Azure built-in and custom RBAC roles | https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions-list | | Create Azure custom RBAC roles using Azure CLI | https://learn.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-cli | | Define Azure custom RBAC roles with PowerShell | https://learn.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell |
Integrations & Coding Patterns
| Topic | URL | |-------|-----| | Assign Azure RBAC roles using Bicep templates | https://learn.microsoft.com/en-us/azure/role-based-access-control/quickstart-role-assignments-bicep | | Assign Azure RBAC roles with ARM templates | https://learn.microsoft.com/en-us/azure/role-based-access-control/quickstart-role-assignments-template | | Assign Azure RBAC roles using Azure CLI | https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-cli | | List Azure RBAC role assignments via Azure CLI | https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-cli | | View Azure RBAC role assignments in the portal | https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-portal | | List Azure RBAC role assignments with PowerShell | https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-powershell | | Query Azure RBAC role assignments using REST API | https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-rest | | Assign Azure RBAC roles starting from a managed identity | https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-managed-identity | | Assign Azure RBAC roles via PowerShell for all principals | https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-powershell | | Assign Azure RBAC roles through the REST API | https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-rest | | Assign Azure RBAC roles using ARM templates | https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template | | Grant group-based Azure RBAC access via PowerShell | https://learn.microsoft.com/en-us/azure/role-based-access-control/tutorial-role-assignments-group-powershell | | Grant Azure RBAC access using PowerShell commands | https://learn.microsoft.com/en-us/azure/role-based-access-control/tutorial-role-assignments-user-powershell |
Related Skills
microsoftdocs/microsoft-foundry
tools
VerifiedTrustedCommunity
Expert knowledge for Microsoft Foundry (aka Azure AI Foundry) development including troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when building Foundry agents with Azure OpenAI, model router patterns, MCP tools, private networking, or eval workflows, and other Microsoft Foundry related development tasks. Not for Microsoft Foundry Classic (use microsoft-foundry-classic), Microsoft Foundry Local (use microsoft-foundry-local), Microsoft Foundry Tools (use microsoft-foundry-tools).
568SKILL.mdUpdated Apr 17, 2026
microsoftdocs/microsoft-foundry-local
tools
VerifiedTrustedCommunity
Expert knowledge for Microsoft Foundry Local (aka Azure AI Foundry Local) development including troubleshooting, decision making, configuration, and integrations & coding patterns. Use when calling Foundry Local REST/chat APIs, tools, transcription, LangChain apps, Olive HF compilation, or CLI, and other Microsoft Foundry Local related development tasks. Not for Microsoft Foundry (use microsoft-foundry), Microsoft Foundry Classic (use microsoft-foundry-classic), Microsoft Foundry Tools (use microsoft-foundry-tools), Azure Local (use azure-local).
568SKILL.mdUpdated Apr 17, 2026
microsoftdocs/microsoft-foundry-classic
tools
VerifiedTrustedCommunity
Expert knowledge for Microsoft Foundry Classic (aka Azure AI Foundry classic) development including troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when building Foundry agents, configuring model routing, securing VNets/Private Link, integrating tools/SDKs, or deploying hubs, and other Microsoft Foundry Classic related development tasks. Not for Microsoft Foundry (use microsoft-foundry), Microsoft Foundry Local (use microsoft-foundry-local), Microsoft Foundry Tools (use microsoft-foundry-tools).
568SKILL.mdUpdated Apr 17, 2026
microsoftdocs/azure-well-architected
development
VerifiedTrustedCommunity
Expert guidance for designing, assessing, and optimizing Azure workloads using Azure Well Architected. Covers design review checklists, recommendations, design principles, tradeoffs, service guides, workload patterns, and assessment questions. Use when designing AI, HPC, SaaS, AVD, or mission-critical workloads with WAF-aligned Azure patterns and guidance, and other Azure Well Architected related development tasks.
568SKILL.mdUpdated Apr 17, 2026