Skills azure-rbac
📦

azure-rbac

Safe

Assign Azure RBAC Roles with Least Privilege

This skill helps Azure administrators find the minimal RBAC role needed for specific permissions and generates the CLI commands and Bicep code to assign it securely.

Supports: Claude Codex Code(CC)
🥉 74 Bronze
1

Download the skill ZIP

2

Upload in Claude

Go to Settings → Capabilities → Skills → Upload skill

3

Toggle on and start using

Test it

Using "azure-rbac". What role should I assign for a managed identity to read blobs?

Expected outcome:

  • Storage Blob Data Reader (preview) is the recommended built-in role for read-only access to blob storage.
  • Resource scope: The role can be assigned at storage account, container, or blob level.
  • For least privilege, assign at the specific container level rather than the entire storage account.

Using "azure-rbac". Generate Bicep code to assign a role to a service principal

Expected outcome:

  • resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { name: guid(subscription().id, servicePrincipalId, roleDefinitionId) properties: { principalId: servicePrincipalId roleDefinitionId: roleDefinitionId principalType: 'ServicePrincipal' } }

Security Audit

Safe
v1 • 2/21/2026

Static analysis flagged 4 instances of 'Weak cryptographic algorithm' at SKILL.md lines 3 and 8. These are FALSE POSITIVES. Line 3 contains YAML syntax (description: >-) for multiline strings. Line 8 references Azure MCP tools (azure__documentation, azure__extension_cli_generate). The skill is a legitimate Microsoft Azure RBAC helper that recommends least-privilege roles and generates infrastructure code.

1
Files scanned
9
Lines analyzed
0
findings
1
Total audits
No security issues found

Detected Patterns

Weak Cryptographic Algorithm (False Positive)
Audited by: claude

Quality Score

38
Architecture
100
Maintainability
87
Content
50
Community
100
Security
91
Spec Compliance

What You Can Build

Grant read access to blob storage

Find the minimal role needed for a service principal to read blobs in a specific storage account

Create custom role for API permissions

Define a custom RBAC role with specific API permissions when built-in roles are too broad

Automate role assignment in CI/CD

Generate Bicep code for role assignments that can be deployed via Azure DevOps or GitHub Actions

Try These Prompts

Find role for storage read 
What is the minimum RBAC role needed to read blobs in an Azure Storage account?
Role for managed identity 
What RBAC role should I assign to a managed identity so it can list virtual machines in a resource group?
Generate role assignment CLI 
Generate the Azure CLI command to assign the Storage Blob Data Reader role to a user-assigned managed identity on a storage account.
Create custom role definition 
Create a custom RBAC role definition that allows read and list on storage containers and blobs, but not delete or write operations.

Best Practices

  • Always assign roles at the narrowest scope possible (resource or resource group vs subscription)
  • Use built-in roles when possible instead of custom roles for easier maintenance
  • Document the business justification for each role assignment

Avoid

  • Assigning Owner or Contributor roles when more specific roles are available
  • Assigning roles at subscription or management group scope when resource-level scope would suffice
  • Using wildcard (*) permissions in custom role definitions

Frequently Asked Questions

What is the difference between Storage Blob Data Reader and Storage Blob Data Owner?
Storage Blob Data Reader provides read-only access to blobs and containers. Storage Blob Data Owner provides full access including write, delete, and set ACL permissions. Always use Reader for least privilege.
Can I assign RBAC roles to managed identities?
Yes, you can assign RBAC roles to both user-assigned and system-assigned managed identities. Use the principalId of the managed identity in the role assignment.
How do I find the role definition ID for a built-in role?
Use Azure CLI: az role definition list --role-name "Storage Blob Data Reader" to get the roleDefinitionId (the fully qualified ID like /providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6bc1-4aae-9c59-2c7b10959305).
What scope should I use for role assignments?
Use the narrowest scope possible. Assign at resource level for single resources, resource group for multiple resources in the same group, and subscription only when organization-wide access is required.
Can this skill help with Azure AD entitlement management?
No, this skill focuses on RBAC role assignments. Azure AD Privileged Identity Management (PIM) and entitlement management are separate systems and not within scope.
How do I audit existing role assignments in my subscription?
Use Azure CLI: az role assignment list --all --output table to list all assignments, or Azure Resource Graph queries for subscription-wide auditing. This skill does not provide auditing capabilities.

Developer Details

Author

microsoft

License

MIT

Repository

https://github.com/microsoft/github-copilot-for-azure/tree/main/plugin/skills/azure-rbac/

Ref

main

File structure

📄 SKILL.md