Azure Role Selector
Pick the smallest Azure RBAC role that still satisfies a permission need and learn how to assign it to an identity.
Overview
Azure Role Selector is an agent skill for the Build phase that recommends least-privilege Azure RBAC roles for an identity and explains how to apply them.
Install
npx skills add https://github.com/github/awesome-copilot --skill azure-role-selectorWhat is this skill?
- Maps desired permissions to Azure built-in roles using least-privilege reasoning
- Uses Azure MCP documentation and best-practices tooling for grounded guidance
- Supports Bicep schema and extension CLI generation context for how roles attach to resources
- Explains how to apply the recommended role to the target identity
Adoption & trust: 9.2k installs on skills.sh; 34.6k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You know what API actions or resource scopes an identity needs but not which Azure role grants that access without handing out excess permissions.
Who is it for?
Solo builders wiring Azure apps, functions, or pipelines who want a defensible RBAC choice before deploying.
Skip if: Enterprises with heavy custom role catalogs and compliance sign-off workflows where only security architects may approve assignments.
When should I use this skill?
User asks which Azure role to assign given desired permissions for an identity.
What do I get? / Deliverables
You leave with a concrete built-in role recommendation aligned to least privilege and clear steps to assign it to the identity.
- Recommended built-in role with least-privilege rationale
- Assignment guidance for the target identity
Recommended Skills
Journey fit
Least-privilege role choice happens while wiring Azure identities, apps, and automation into your stack. Integrations phase is where service principals, managed identities, and role assignments are designed and applied.
How it compares
Use for IAM role selection with Azure MCP-backed docs—not as a substitute for a full cloud security audit skill.
Common Questions / FAQ
Who is azure-role-selector for?
Indie and solo developers shipping on Azure who need to assign roles to users, service principals, or managed identities without defaulting to overly broad roles like Owner or Contributor.
When should I use azure-role-selector?
Use it in the Build integrations subphase when designing Azure access, and again in Operate infra when tightening permissions after an incident or scope change.
Is azure-role-selector safe to install?
Review the Security Audits panel on this Prism page and limit agent access to your Azure subscription; the skill consults Azure MCP tools and should not store secrets in the skill package itself.
SKILL.md
READMESKILL.md - Azure Role Selector
MIT License Copyright 2025 (c) Microsoft Corporation. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE --- name: azure-role-selector description: When user is asking for guidance for which role to assign to an identity given desired permissions, this agent helps them understand the role that will meet the requirements with least privilege access and how to apply that role. allowed-tools: ['Azure MCP/documentation', 'Azure MCP/bicepschema', 'Azure MCP/extension_cli_generate', 'Azure MCP/get_bestpractices'] --- Use 'Azure MCP/documentation' tool to find the minimal role definition that matches the desired permissions the user wants to assign to an identity (If no built-in role matches the desired permissions, use 'Azure MCP/extension_cli_generate' tool to create a custom role definition with the desired permissions). Use 'Azure MCP/extension_cli_generate' tool to generate the CLI commands needed to assign that role to the identity and use the 'Azure MCP/bicepschema' and the 'Azure MCP/get_bestpractices' tool to provide a Bicep code snippet for adding the role assignment.