Back to skills

Agent Skill

Azure Rbac

azure-rbac

Helps users find the right Azure RBAC role for an identity with least privilege access, then generate CLI commands and Bicep code to assign it. Also provides guidance on permissions required to grant roles. WHEN: bicep for role assignment, what role should I assign, least privilege role, RBAC role for, role to read blobs, role for managed identity, custom role definition, assign role to identity, what role do I need to grant access, permissions to assign roles.

MicrosoftSecurityPythonAgent-skills
github.com/microsoft/azure-skills/tree/main/skills/azure-rbac

408K installs

microsoft/azure-skills

by Microsoft

Score

8.5

/ 10

Installs

408K

Repo Stars

1.2K

Last Updated

0d ago

Fresh

Quality Ratio

99%

Description

Verified

Language

Python

First Published

Feb 2026

Summary

The Azure Rbac agent skill assists developers in identifying the most appropriate least-privilege Azure RBAC roles for identities and then generates the necessary Azure CLI commands and Bicep code to assign them. This agent skill is designed for Azure administrators, DevOps engineers, and developers who need to implement fine-grained access control and automate RBAC assignments efficiently. It is an emerging or highly specialized skill with limited adoption so far. It intelligently leverages the `azure__documentation` tool to pinpoint minimal built-in role definitions or, if needed, creates custom roles using `azure__extension_cli_generate` to ensure least privilege. The skill further provides Bicep code snippets for assignment via `azure__bicepschema` and `azure__get_azure_bestpractices`, alongside essential guidance on the permissions required to grant roles, such as the User Access Administrator role. Developers should note that this skill is specifically scoped for role selection and assignment, and does not cover creating managed identities or general Azure security hardening.

Skill Definition

Use the 'azure__documentation' tool to find the minimal role definition that matches the desired permissions the user wants to assign to an identity. If no built-in role matches the desired permissions, use the 'azure__extension_cli_generate' tool to create a custom role definition with the desired permissions. Then use the 'azure__extension_cli_generate' tool to generate the CLI commands needed to assign that role to the identity. Finally, use the 'azure__bicepschema' and 'azure__get_azure_bestpractices' tools to provide a Bicep code snippet for adding the role assignment. If user is asking about role necessary to set access, refer to Prerequisites for Granting Roles down below:

Prerequisites for Granting Roles

To assign RBAC roles to identities, you need a role that includes the Microsoft.Authorization/roleAssignments/write permission. The most common roles with this permission are:

  • User Access Administrator (least privilege - recommended for role assignment only)
  • Owner (full access including role assignment)
  • Custom Role with Microsoft.Authorization/roleAssignments/write

How to Use

Use in O-mega

Claude Code

npx skills add microsoft/azure-skills azure-rbac