Start course

Role-Based Access Control, or RBAC, is how you can manage access to resources in Azure. RBAC works by creating role assignments that can apply to different levels of your tenant. A role assignment is broken down into three elements: the security principal, the role definition, and the scope you apply it to.

Custom roles in Azure's role-based access control provide the flexibility for any organization to create roles that are not covered by the built-in roles.

We will also look at common scenarios when troubleshooting role-based access control in Azure.

Learning Objectives

  • Identify the different elements that create the role assignment
  • Configure access to resources in Azure
  • Implement a custom role
  • Troubleshoot common RBAC problems

Intended Audience

  • People who want to become Azure administrators


  • General knowledge of the Azure portal

Related Training Content

To discover more courses covering Microsoft Azure topics, visit our dedicated Azure Training Library.


Role-based access control changes in Azure don't always go as planned. Let's look at some scenarios where you may encounter issues. 

Scenario one. You can't create a new resource in a resource group. Check access control to verify the user has the appropriate role assignment. If the user is part of a custom role, verify that the role definition can deploy that resource. 

Scenario two. You attempt to add a role assignment in your subscription and you receive an error role assignment limit exceeded. In your subscription, there is a limit of 2,000 role assignments. If you see this error, consider assigning roles to groups instead of individual users. 

Scenario three. You attempt to create or update a custom role but you get an error. Confirm that the user has the Microsoft.Authorization/roleDefinition/write permission. 

Scenario four. You attempt to create a new custom role and you receive an error role definition limit exceeded. In your tenant, there is a limit of 2,000 custom roles. Scenario five. You make a change in Access Control or you add a custom role and the changes do not reflect in the portal or in the console. Sometimes these changes can take time to take effect. You can log out and re-log in to force the refresh.

About the Author

With over 15 years of experience in the IT industry, Eric Leonard is a Microsoft Azure MVP and a Cloud Solution Architect. Eric’s experience working with Microsoft technologies, with a strong emphasis on cloud and automation solutions, enables his clients to succeed in today’s technological environment. Eric has worked for clients in a variety of different industries including large and small enterprises, the public sector, professional services, education, and communications.

When he is not working, Eric believes in sharing his knowledge and giving back to the IT community. He is the co-organizer of the Ottawa IT community meetup, which has over 1,000 members, and he enjoys presenting and mentoring in the community.