azure-rbac

Helps users find the right Azure RBAC role for an identity with least privilege access, then generate CLI commands and Bicep code to assign it. Also provides guidance on permissions required to grant roles. USE FOR: "what role should I assign", "least privilege role", "RBAC role for", "role to read blobs", "role for managed identity", "custom role definition", "assign role to identity", "what role do I need to grant access", "permissions to assign roles". DO NOT USE FOR: creating or configuring managed identities, or general Azure security hardening; those are out of scope for this role-selection skill.

Install with Tessl CLI

npx tessl i github:microsoft/github-copilot-for-azure --skill azure-rbac

What are skills?

1.06x

Review — 78%

Does it follow best practices?

If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:

npx tessl skill review --optimize ./path/to/skill

Learn more

Evaluation — 94%

↑ 1.06x

Agent success when using this skill

Validation — 11 / 11 Passed

Validation for skill structure

SKILL.md

Review

Evals

Evaluation results

100%

Function App Storage Access Setup

Least-privilege role with CLI and Bicep output

Criteria

Without context

With context

Least-privilege role selected

100%

Role justification given

100%

CLI command present

100%

CLI uses correct scope

100%

CLI references managed identity

100%

Bicep roleAssignment resource

100%

Bicep uses roleDefinitionId

100%

Bicep includes principalId

100%

Does NOT recommend Owner or Contributor

100%

Without context: $0.1600 · 43s · 7 turns · 10 in / 2,563 out tokens

With context: $0.8481 · 2m 19s · 23 turns · 30 in / 4,692 out tokens

92%

-2%

Scoped Key Vault Audit Role

Custom role definition when no built-in role matches

Criteria

Without context

With context

Custom role definition created

100%

Only required permissions included

100%

AssignableScopes set

100%

CLI create role definition command

100%

CLI assign role command

100%

CLI assignment references principal

100%

Bicep role definition resource

100%

Does NOT recommend built-in over-privileged role

100%

Justification for custom role

40%

20%

Without context: $0.1447 · 34s · 9 turns · 14 in / 2,076 out tokens

With context: $0.3051 · 1m 14s · 17 turns · 182 in / 4,366 out tokens

92%

22%

Onboarding a Cloud Access Manager

Role assignment prerequisites and least-privilege granting

Criteria

Without context

With context

Correct permission identified

100%

User Access Administrator recommended

100%

Least-privilege justification

30%

100%

Owner listed as alternative

100%

Custom role option mentioned

100%

Does NOT recommend Owner as primary

100%

CLI assignment command present

100%

Bicep roleAssignment snippet

100%

Bicep uses correct roleDefinitionId

Without context: $0.1811 · 1m 4s · 10 turns · 15 in / 3,692 out tokens

With context: $0.4326 · 1m 40s · 24 turns · 189 in / 5,652 out tokens

Evaluated: 2 days ago
Agent: Claude Code
Model: Unknown

Table of Contents

Function App Storage Access Setup Scoped Key Vault Audit Role Onboarding a Cloud Access Manager

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.