Skills Guide

Azure Role Selector

VerifiedSafe

Helps users select the most appropriate Azure role with least privilege for their desired permissions. Uses Azure documentation to find built-in roles or generates a custom role, then provides CLI commands and a Bicep snippet to assign the role.

Sby Skills Guide Bot
SecurityIntermediate
606/2/2026
Claude Code
#azure#rbac#least-privilege#identity-management

Recommended for

Claude CodeSecurity auditSecurity engineer

Our review

This skill helps select the least-privilege Azure role matching desired permissions for an identity, and generates CLI commands and Bicep code for role assignment.

Strengths

  • Accurate retrieval of built-in roles for specific permission needs
  • Generation of custom roles if no built-in role fits
  • Provides both CLI commands and Bicep snippets for assignment

Limitations

  • Requires Azure MCP tools to be configured and accessible
  • May not cover very niche permission scenarios
  • Least-privilege evaluation depends on user query precision
When to use it

When you need to assign an Azure role to an identity following least-privilege principles and want actionable implementation steps.

When not to use it

When dealing with non-Azure identities or needing complex RBAC policies beyond built-in or simple custom roles.

Security analysis

Safe
Quality score90/100

The skill only queries Azure documentation and generates advisory CLI/Bicep snippets; no destructive actions, data exfiltration, or direct system modifications are performed.

No concerns found

Examples

Find role for read-only VM access
What Azure role should I assign to a user so they can only list and view virtual machines in a resource group, with no write permissions?
Custom role for VM start/stop
I need a custom role that allows starting and stopping Azure VMs but nothing else. Can you generate the role definition and CLI commands to assign it to a service principal?
Bicep role assignment
Give me a Bicep snippet that assigns the Contributor role to a managed identity for a specific storage account.

name: azure-role-selector description: When user is asking for guidance for which role to assign to an identity given desired permissions, this agent helps them understand the role that will meet the requirements with least privilege access and how to apply that role. allowed-tools: [ "Azure MCP/documentation", "Azure MCP/bicepschema", "Azure MCP/extension_cli_generate", "Azure MCP/get_bestpractices", ]

Use 'Azure MCP/documentation' tool to find the minimal role definition that matches the desired permissions the user wants to assign to an identity (If no built-in role matches the desired permissions, use 'Azure MCP/extension_cli_generate' tool to create a custom role definition with the desired permissions). Use 'Azure MCP/extension_cli_generate' tool to generate the CLI commands needed to assign that role to the identity and use the 'Azure MCP/bicepschema' and the 'Azure MCP/get_bestpractices' tool to provide a Bicep code snippet for adding the role assignment.

Related skills

Security Audit Scanner

Premium

Security

Analyzes code to detect OWASP Top 10 vulnerabilities.

Claude Codeadvanced
210
87
906
Admin

OWASP Security Checklist

Security

Generates application security checklists based on the OWASP Top 10.

claudeCursorWindsurfintermediate
148
41
440
Admin

Threat Model Generator

Security

Generates threat model documents with STRIDE analysis.

claudeCursoradvanced
78
23
289
Admin