Built-In Roles and Custom Roles

Azure provides more than 300 built-in RBAC roles that cover common access patterns. When none of these roles fit your requirements exactly, you can create custom roles with precisely the permissions you need.

---

The Three Fundamental Built-In Roles

Three roles appear at every scope in Azure and are the most widely used:

Role	Description
Owner	Full access to all resources, including the ability to assign roles to others
Contributor	Full access to all resources, but cannot manage role assignments or manage Blueprints
Reader	View all resources but cannot make any changes

When to Use Each

• Owner — only for subscription or management group administrators who need to delegate access
• Contributor — for users who need to create and manage resources but should not control access
• Reader — for auditors, stakeholders, or dashboards that need visibility without modification rights

---

Commonly Used Built-In Roles

Beyond the three fundamental roles, Azure provides service-specific roles:

Identity and Access