azure-rbac
Helps users find the right Azure RBAC role for an identity with least privilege access, then generate CLI commands and Bicep code to assign it. Also provides guidance on permissions required to grant roles. WHEN: bicep for role assignment, what role should I assign, least privilege role, RBAC role for, role to read blobs, role for managed identity, custom role definition, assign role to identity, what role do I need to grant access, permissions to assign roles.
64
75%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugin/skills/azure-rbac/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly articulates specific capabilities (finding RBAC roles, generating CLI/Bicep code, permissions guidance) and provides an explicit WHEN clause with extensive, natural trigger terms. The description is well-scoped to a distinct domain (Azure RBAC) and covers multiple user phrasings, making it highly effective for skill selection.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description lists multiple specific concrete actions: finding the right Azure RBAC role, generating CLI commands, generating Bicep code for role assignment, and providing guidance on permissions required to grant roles. | 3 / 3 |
Completeness | Clearly answers both 'what' (find RBAC roles with least privilege, generate CLI commands and Bicep code, provide permissions guidance) and 'when' (explicit WHEN clause with multiple trigger phrases covering various user scenarios). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would actually say: 'bicep for role assignment', 'what role should I assign', 'least privilege role', 'RBAC role for', 'role to read blobs', 'role for managed identity', 'custom role definition', 'assign role to identity', 'what role do I need to grant access', 'permissions to assign roles'. These cover many natural phrasings. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: Azure RBAC role assignment with Bicep/CLI generation. The specific domain (Azure RBAC, managed identity, Bicep code) and detailed trigger terms make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable high-level workflow for Azure RBAC role assignment using specific tools, and includes useful prerequisite information. However, it lacks concrete examples (sample CLI output, Bicep snippets, example role lookups), explicit step sequencing with numbered steps, and validation checkpoints for what is a security-sensitive operation. The content reads more as a description of what to do rather than actionable, copy-paste-ready guidance.
Suggestions
Add a numbered step-by-step workflow with explicit validation checkpoints (e.g., 'Confirm the identified role has minimal necessary permissions before proceeding to assignment').
Include at least one concrete example showing a sample role lookup, the resulting CLI command, and the corresponding Bicep snippet so Claude has a clear pattern to follow.
Add example tool invocations with sample inputs to make the guidance more actionable rather than descriptive.
Consider adding a verification step after role assignment (e.g., checking the assignment was applied correctly) to improve workflow safety for this security-sensitive operation.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Mostly efficient but includes some unnecessary explanation (e.g., 'The most common roles with this permission are' is slightly verbose). The prerequisites section is useful but could be tighter. Overall reasonably lean. | 2 / 3 |
Actionability | The skill references specific tools (azure__documentation, azure__extension_cli_generate, azure__bicepschema, azure__get_azure_bestpractices) which gives concrete guidance on what to invoke, but provides no example inputs/outputs, no sample CLI commands, no sample Bicep snippets, and no concrete code. It describes a process rather than providing executable examples. | 2 / 3 |
Workflow Clarity | There is a clear implicit sequence (find role → generate CLI → generate Bicep), but steps are not explicitly numbered or sequenced, and there are no validation checkpoints (e.g., confirming the role matches before proceeding to assignment, verifying the Bicep output is valid). For a multi-step process involving role assignments (which can be security-sensitive), validation steps are missing. | 2 / 3 |
Progressive Disclosure | The content has a section for prerequisites which is a reasonable structural choice, but everything is in a single file with no references to supporting materials. The inline prerequisites section is appropriate for its length, but the main workflow content could benefit from better structural organization (e.g., separate sections for finding roles vs. generating code). No bundle files exist to reference. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- microsoft/github-copilot-for-azure
- Commit
915f809
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.