Get a free AWS Well-Architected Assessment ->

Microsoft Azure

Role Definition

Azure Role Definitions are a set of permissions that define the actions that a user, group, or application can perform on Azure resources. Role definitions are used to grant access to Azure resources and manage permissions for users and groups. Each role definition consists of a set of permissions that define what actions are allowed or denied on specific Azure resources. The permissions are defined using Azure Resource Manager templates and are stored as JSON files in Azure. The role definitions can be customized to suit the specific needs of an organization. Azure provides a set of built-in role definitions that can be used to grant access to resources, such as Owner, Contributor, Reader, and User Access Administrator. These built-in roles have pre-defined permissions that can be assigned to users and groups. In addition to the built-in roles, users can create custom role definitions with specific permissions tailored to their needs. Custom role definitions can be created using Azure Resource Manager templates or the Azure portal. Users can define the permissions for each role, specify the scope of the role, and assign the role to users and groups.‍
aws cost
Direct Cost
Indirect Cost
No items found.
Terraform Name
Role Definition

The following arguments are supported:

  • role_definition_id - (Optional) A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
  • name - (Required) The name of the Role Definition.
  • scope - (Required) The scope at which the Role Definition applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.
  • description - (Optional) A description of the Role Definition.
  • permissions - (Optional) A permissions block as defined below.
  • assignable_scopes - (Optional) One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.


The value for scope is automatically included in this list if no other values supplied.

A permissions block as the following properties:

Associating resources with a
Role Definition
Resources do not "belong" to a
Role Definition
Rather, one or more Security Groups are associated to a resource.
Role Definition
via Terraform:
The following HCL manages a custom Role Definition, used to assign Roles to Users/Principals

data "azurerm_subscription" "primary" {

resource "azurerm_role_definition" "example" {
 name        = "my-custom-role"
 scope       =
 description = "This is a custom role created via Terraform"

 permissions {
   actions     = ["*"]
   not_actions = []

 assignable_scopes = [, # /subscriptions/00000000-0000-0000-0000-000000000000

Role Definition
via CLI:

az role definition create --role-definition


az role definition create --role-definition '{
   "Name": "Contoso On-call",
   "Description": "Perform VM actions and read storage and network information.",
   "Actions": [
   "DataActions": [
   "NotDataActions": [
   "AssignableScopes": ["/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"]

Best Practices for
Role Definition

Categorized by Availability, Security & Compliance and Cost

No items found.
Explore all the rules our platform covers
Related blog posts