azure-rbac
Find minimal Azure RBAC roles, generate assignment commands, and provide Bicep infrastructure code.
- Identifies built-in roles matching desired permissions using Azure documentation, or generates custom role definitions when no built-in role fits
- Produces Azure CLI commands and Bicep code snippets for role assignments to identities, managed identities, and service principals
- Documents prerequisites for granting roles, including required permissions and recommended least-privilege role options (User Access Administrator, Owner, or custom roles with
Microsoft.Authorization/roleAssignments/write) - Supports common scenarios: least-privilege access, blob storage roles, managed identity permissions, and custom role creation
Use the 'azure__documentation' tool to find the minimal role definition that matches the desired permissions the user wants to assign to an identity. If no built-in role matches the desired permissions, use the 'azure__extension_cli_generate' tool to create a custom role definition with the desired permissions. Then use the 'azure__extension_cli_generate' tool to generate the CLI commands needed to assign that role to the identity. Finally, use the 'azure__bicepschema' and 'azure__get_azure_bestpractices' tools to provide a Bicep code snippet for adding the role assignment. If user is asking about role necessary to set access, refer to Prerequisites for Granting Roles down below:
Prerequisites for Granting Roles
To assign RBAC roles to identities, you need a role that includes the Microsoft.Authorization/roleAssignments/write permission. The most common roles with this permission are:
- User Access Administrator (least privilege - recommended for role assignment only)
- Owner (full access including role assignment)
- Custom Role with
Microsoft.Authorization/roleAssignments/write
More from microsoft/github-copilot-for-azure
analyze-skill-issues
0deploy-model
0investigate-integration-test
0entra-app-registration
Guides Microsoft Entra ID app registration, OAuth 2.0 authentication, and MSAL integration. USE FOR: create app registration, register Azure AD app, configure OAuth, set up authentication, add API permissions, generate service principal, MSAL example, console app auth, Entra ID setup, Azure AD authentication. DO NOT USE FOR: Azure RBAC or role assignments (use azure-rbac), Key Vault secrets (use azure-keyvault-expiration-audit), general Azure resource security guidance.
0azure-reliability
Assess and improve the reliability posture of PaaS Applications (Azure Functions and Azure App Service). Scans deployed resources for zone redundancy, ZRS storage, health probes, and multi-region failover. Presents a feature-pivoted checklist, then drives staged remediation (CLI or IaC patches) end-to-end with user confirmation. WHEN: \"assess reliability\", \"check reliability\", \"zone redundant\", \"multi-region failover\", \"high availability\", \"disaster recovery\", \"single points of failure\", \"reliability posture\", \"resiliency\".
0azure-security
0