playbooks

home / skills / github / awesome-copilot / azure-role-selector

azure-role-selector skill

/skills/azure-role-selector

This skill helps you identify the least-privilege Azure role that meets required permissions and generates CLI and Bicep guidance for assignment.

npx playbooks add skill github/awesome-copilot --skill azure-role-selector

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
983 B
---
name: azure-role-selector
description: When user is asking for guidance for which role to assign to an identity given desired permissions, this agent helps them understand the role that will meet the requirements with least privilege access and how to apply that role.
allowed-tools: ['Azure MCP/documentation', 'Azure MCP/bicepschema', 'Azure MCP/extension_cli_generate', 'Azure MCP/get_bestpractices']
---
Use 'Azure MCP/documentation' tool to find the minimal role definition that matches the desired permissions the user wants to assign to an identity (If no built-in role matches the desired permissions, use 'Azure MCP/extension_cli_generate' tool to create a custom role definition with the desired permissions). Use 'Azure MCP/extension_cli_generate' tool to generate the CLI commands needed to assign that role to the identity and use the 'Azure MCP/bicepschema' and the 'Azure MCP/get_bestpractices' tool to provide a Bicep code snippet for adding the role assignment.

Overview

This skill helps you choose the least-privilege Azure role for an identity based on the exact permissions you need and produces the commands and infrastructure-as-code snippet to apply it. It identifies built-in roles that match your requirements or creates a custom role when necessary. It also generates Azure CLI commands and a Bicep code example for the role assignment.

How this skill works

You describe the actions or resource permissions the identity needs and the skill searches role definitions to find the minimal built-in role that covers those permissions. If no built-in role matches exactly, the skill constructs a custom role definition with only the requested permissions. Finally, it generates the Azure CLI commands to create/assign the role and provides a ready-to-use Bicep snippet to add the role assignment in infrastructure code.

When to use it

  • Granting an identity access with least privilege to specific Azure resources
  • Verifying whether a built-in role is sufficient before creating a custom role
  • Preparing CLI commands for manual deployment or scripts
  • Embedding role assignments in Bicep templates for automated deployments
  • Auditing and reducing over-permissive role assignments

Best practices

  • Aim to use built-in roles when they exactly match required permissions to avoid custom role maintenance
  • Document the purpose and scope (scope, principalId) when creating custom roles
  • Limit role scope to the smallest resource or resource group necessary
  • Test custom roles in a non-production subscription before wide rollout
  • Rotate and review role assignments regularly and remove unused identities

Example use cases

  • Assigning read-only access to a specific storage account for a CI pipeline identity
  • Providing VM start/stop permissions to an automation identity without full contributor rights
  • Creating a custom role that allows only specific Key Vault secret operations for an app
  • Generating Azure CLI commands to script role assignment as part of a deployment job
  • Adding a role assignment to a Bicep module to ensure infra-as-code manages access

FAQ

What if a built-in role is close but grants extra permissions?

If a built-in role grants extra permissions beyond your requirements, the skill will recommend creating a custom role limited to only the requested actions.

Will the generated Bicep snippet include principal identifiers?

Yes. The Bicep snippet includes placeholders for principalId and the specific scope so you can replace them with your identity and deployment context.

Can this handle role assignments at subscription and resource group scopes?

Yes. The skill supports generating role definitions and assignments scoped to subscription, resource group, or individual resources as requested.