What is the difference between Owner, Contributor and Reader?

Owner has full access including managing other users' access (role assignments). Contributor can create and manage all resource types but cannot grant access to others. Reader can only view resources. All three are management-plane roles and do not by themselves grant data-plane access like reading blob contents.

Why can a Contributor not read blob data?

Classic roles like Contributor and Owner act on the management plane — they manage the storage account itself. Reading or writing the actual blobs requires a data-plane role such as Storage Blob Data Reader or Storage Blob Data Contributor, which Azure separates so you can manage an account without seeing its contents.

What scopes can a role be assigned at?

Azure RBAC assignments apply at four scopes that inherit downward: management group, subscription, resource group and individual resource. Assigning a role at a resource group grants it on every resource inside, so prefer the narrowest scope a principal actually needs.

Which role lets someone manage access without managing resources?

User Access Administrator can manage role assignments (grant and revoke access) but not the resources themselves. It is the least-privilege way to delegate access management without giving full Owner rights over the resources.

How do I grant least-privilege Key Vault access?

Use the data-plane roles: Key Vault Secrets User to read secrets, Key Vault Secrets Officer to manage them, Key Vault Crypto User for key operations. The management role Key Vault Administrator covers all data operations but not the account's Azure resource settings.

Azure RBAC Built-in Roles Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Azure RBAC built-in roles

Azure role-based access control grants access by assigning a role definition to a security principal at a scope. Built-in roles are Microsoft-maintained definitions covering generic management (Owner, Contributor, Reader) and service-specific data access. This reference lists the most common ones with their scope and whether they act on the management or data plane.

How it works

An assignment binds a role to a principal at a scope; permissions inherit from broader scopes downward:

az role assignment create \
  --assignee [email protected] \
  --role "Storage Blob Data Reader" \
  --scope "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<acct>"

Azure separates two planes:

Management plane roles (Owner, Contributor, Reader) manage the resource object — create, configure, delete.
Data plane roles (Storage Blob Data Contributor, Key Vault Secrets User) read or write the contents inside the resource.

A Contributor can deploy a storage account but cannot read its blobs without a data-plane role. Scopes are management group → subscription → resource group → resource, inheriting downward.

Tips and notes

Owner and User Access Administrator can grant access; Contributor cannot.
Always assign at the narrowest scope (single resource or resource group), not the whole subscription.
For storage and Key Vault, pick the explicit Data roles — generic Contributor does not grant data access.
Inspect a role’s exact actions with az role definition list --name "<role>".