Roles and permissions

Learn how to manage access to recommendations and reviews for your organization.

Roles and associated access

Advisor uses the built-in roles provided by Azure role-based access control (Azure RBAC).

Review the following section to learn more about each role and the associated access.

Roles to view, dismiss, and postpone recommendations

Role View recommendations Dismiss and postpone recommendations
Subscription Reader X
Subscription Contributor X X
Subscription Owner X X
Resource group Reader X
Resource group Contributor X X
Resource group Owner X X
Resource Reader X
Resource Contributor X X
Resource Owner X X

Roles to edit rules and configurations

Role Edit rules Edit subscription configuration Edit resource group configuration
Subscription Contributor X X X
Subscription Owner X X X
Resource group Contributor X
Resource group Owner X

Note

You must have access to the resource associated with the recommendation to view a recommendation.

To learn more about built-in roles, see Azure built-in roles. To learn more about Azure role-based access control (Azure RBAC), see What is Azure role-based access control (Azure RBAC)?.

Reviews and personalized recommendations

Roles to manage access to Advisor reviews

The permissions vary by role. The roles must be configured for the subscription that was used to publish the review.

Role View reviews for a workload and all recommendations associated with the reviews Triage recommendations associated with the reviews
Advisor Reviews Reader X
Advisor Reviews Contributor X X
Subscription Reader X
Subscription Contributor X X
Subscription Owner X X

Roles to manage access to Advisor personalized recommendations

The roles must be configured for the subscriptions included in the workload under a review.

Role View accepted recommendations Manage the lifecycle of a recommendation
Advisor Recommendations Contributor (Assessments and Reviews) X X
Subscription Reader X
Subscription Contributor X
Subscription Owner X

Learn how to assign an Azure role, see Steps to assign an Azure role.

View and manage assessments

Roles to view and manage assessments and associated recommendations

Manage access to Advisor Well-Architected Framework (WAF) using built-in roles. The permissions vary by role.

Role Detail
Reader View assessments for a subscription or workload and the associated recommendations.
Contributor Create assessments for a subscription or workload and manage lifecycle of the associated recommendations.

Note

The role must be configured for the relevant subscription to create the assessment and view the corresponding recommendations.

Available actions to build custom roles

If your organization requires roles that don't match the Azure built-in roles, create your own custom role. A custom role works like a built-in role and allow you to assign it to users, groups, and service principals at management group, subscription, and resource group scopes. Use the following actions to create your custom role.

Action Details
Microsoft.Advisor/generateRecommendations/action Create a Recommendation.
Microsoft.Advisor/register/action Register with the Provider.
Microsoft.Advisor/unregister/action Unregister with the Provider.
Microsoft.Advisor/advisorScore/read Gets Advisor score.
Microsoft.Advisor/configurations/read Read Configurations.
Microsoft.Advisor/configurations/write Create or update Configuration.
Microsoft.Advisor/generateRecommendations/read Get status of generateRecommendations action.
Microsoft.Advisor/metadata/read Read Metadata.
Microsoft.Advisor/operations/read Get operations.
Microsoft.Advisor/recommendations/read Read recommendations.
Microsoft.Advisor/recommendations/write Create recommendations.
Microsoft.Advisor/recommendations/available/action New recommendation is available.
Microsoft.Advisor/recommendations/suppressions/read Read Suppressions.
Microsoft.Advisor/recommendations/suppressions/write Create or update Suppressions.
Microsoft.Advisor/recommendations/suppressions/delete Delete Suppression.
Microsoft.Advisor/suppressions/read Read Suppressions.
Microsoft.Advisor/suppressions/write Create or update Suppressions.
Microsoft.Advisor/suppressions/delete Delete Suppression.
Microsoft.Advisor/assessmentTypes/read Reads AssessmentTypes.
Microsoft.Advisor/assessments/read Reads Assessments.
Microsoft.Advisor/assessments/write Create Assessments.
Microsoft.Advisor/resiliencyReviews/read Reads resiliencyReviews.
Microsoft.Advisor/triageRecommendations/read Reads triageRecommendations.
Microsoft.Advisor/triageRecommendations/approve/action Approves triageRecommendations.
Microsoft.Advisor/triageRecommendations/reject/action Rejects triageRecommendations.
Microsoft.Advisor/triageRecommendations/reset/action Resets triageRecommendations.
Microsoft.Advisor/workloads/read Reads workloads.

Note

For example, you must have a sufficient permission level for a virtual machine (VM) to view recommendations associated with the VM.

To learn more about custom roles, see Azure custom roles.

Permissions and unavailable actions

If your permission level is too low, your access to the associated action is blocked. Review common problems in the following section.

Configure subscription or resource group is blocked

When you try to configure a subscription or resource group, the option to include or exclude is blocked. The blocked status indicates that your permission level for that resource group or subscription is insufficient. To learn how to change your permission level, see Tutorial: Grant a user access to Azure resources using the Azure portal.

Postpone or dismiss is allowed, but sends an error

When you try to postpone or dismiss a recommendation, you receive an error. The error indicates that your permission level is insufficient. You must have a sufficient permission level to dismiss recommendations.

Tip

After you dismiss a recommendation, you must manually reactivate it before it is added in your list of recommendations. If you dismiss a recommendation, you may miss important advice that optimizes your Azure deployment.

To postpone or dismiss a recommendation, verify that your permission level for the resource associated with the recommendation is set to Contributor or better. To learn how to change your permission level, see Tutorial: Grant a user access to Azure resources using the Azure portal.

This article provided an overview of how Advisor uses Azure role-based access control (Azure RBAC) to control user permissions and how to resolve common problems. To learn more about Advisor, see the following articles.