azure-rbac
Helps users find the right Azure RBAC role for an identity with least privilege access, then generate CLI commands and Bicep code to assign it. Also provides guidance on permissions required to grant roles. WHEN: bicep for role assignment, what role should I assign, least privilege role, RBAC role for, role to read blobs, role for managed identity, custom role definition, assign role to identity, what role do I need to grant access, permissions to assign roles.
80
75%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./.github/plugins/azure-skills/skills/azure-rbac/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly articulates specific capabilities (finding RBAC roles, generating CLI/Bicep code, permissions guidance) and provides an explicit WHEN clause with extensive, natural trigger terms. The description is well-scoped to a distinct niche (Azure RBAC role assignment) and covers a wide variety of user phrasings that would naturally lead to this skill being selected.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: finding the right Azure RBAC role, generating CLI commands, generating Bicep code for role assignment, and providing guidance on permissions required to grant roles. | 3 / 3 |
Completeness | Clearly answers both 'what' (find the right Azure RBAC role, generate CLI commands and Bicep code, provide permissions guidance) and 'when' (explicit WHEN clause with multiple trigger phrases covering various user scenarios). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'bicep for role assignment', 'what role should I assign', 'least privilege role', 'RBAC role for', 'role to read blobs', 'role for managed identity', 'custom role definition', 'assign role to identity', 'permissions to assign roles'. These are highly natural phrases a user would actually type. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on Azure RBAC role assignment with Bicep/CLI generation. The combination of Azure RBAC, least privilege, Bicep code, and role assignment creates a clear, unique domain unlikely to conflict with general Azure or general IAM skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable high-level workflow for Azure RBAC role assignment using specific tools, which is valuable. However, it lacks concrete examples (sample tool invocations, example Bicep output, example CLI commands), explicit step numbering with validation checkpoints, and assumes Claude needs to be told about common roles like Owner and User Access Administrator. The actionability would improve significantly with example inputs and expected outputs.
Suggestions
Add numbered workflow steps with explicit validation checkpoints (e.g., 'Confirm with user that the identified role matches their intent before generating CLI/Bicep')
Include a concrete example showing a sample tool invocation and expected output (e.g., finding the 'Storage Blob Data Reader' role and generating the corresponding Bicep snippet)
Remove or condense the explanation of Owner and User Access Administrator roles—Claude already knows these; just list the required permission `Microsoft.Authorization/roleAssignments/write` and the recommended role name
Add a conditional branch for when the user doesn't specify a scope or identity type, since those are required for role assignment generation
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Mostly efficient but includes some unnecessary explanation (e.g., describing what User Access Administrator and Owner roles are is something Claude already knows). The prerequisites section is useful but slightly verbose. | 2 / 3 |
Actionability | It names specific tools to use (azure__documentation, azure__extension_cli_generate, azure__bicepschema, azure__get_azure_bestpractices) which is concrete, but provides no example inputs/outputs, no sample CLI commands, no sample Bicep snippets, and no executable code. The guidance is tool-referencing but not copy-paste ready. | 2 / 3 |
Workflow Clarity | There is an implicit sequence (find role → generate CLI → generate Bicep), but steps are not explicitly numbered, there are no validation checkpoints (e.g., confirming the role matches before proceeding), and no error recovery or feedback loops for when no built-in role matches. | 2 / 3 |
Progressive Disclosure | The content is short enough that a monolithic format is acceptable, but the prerequisites section is inline rather than clearly separated, and there are no references to external files for advanced scenarios like custom role definitions or complex multi-scope assignments. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- microsoft/azure-skills
- Commit
9d594ab
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.