Azure RBAC Connector Guide

The Azure RBAC connector lets Tealfabric workflows manage role assignments and user-assigned managed identities through Azure Resource Manager APIs. It is useful for governance automation, access provisioning, and identity lifecycle workflows.

Document information
FieldValue
Canonical URL/docs/04_connecting-systems/connectors/a/azure-rbac
Version (published date)2026-05-08
Tagsconnectors, reference, azure-rbac
Connector IDazure-rbac-1.0.0

Azure RBAC connector flow showing OAuth-authenticated role assignment updates, identity retrieval, and workflow-driven cloud access governance.

Configure Azure application access

Set tenant_id, client_id, client_secret, and subscription_id from your Azure app registration and subscription configuration. The service principal behind these credentials must have sufficient RBAC permissions for the operations your workflow performs.

test validates required configuration (tenant_id, client_id, client_secret, subscription_id) before requesting an access token and listing subscription role definitions. Other operations (send, receive, execute) require valid credentials at runtime but do not run full config validation up front, matching legacy connector behavior.

Use timeout_seconds for longer list or assignment tasks and run test after setup. This confirms token issuance and subscription-level API reachability before you run production access workflows.

Manage assignments and identities with send

Use send to create role assignments or create user-assigned managed identities via Azure Resource Manager endpoints. Keep request payloads explicit and include the correct roleDefinitionId, principalId, and resource scope to avoid authorization errors.

const baseUrl = "https://api.example.com/api/v1";
const tenantId = "<TENANT_ID>";
const apiKey = "<API_KEY>";

async function createRoleAssignment(integrationId: string) {
  const response = await fetch(`${baseUrl}/integrations/${encodeURIComponent(integrationId)}/execute`, {
    method: "POST",
    headers: {
      "X-API-Key": apiKey,
      "X-Tenant-ID": tenantId,
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      operation: "send",
      endpoint: "subscriptions/<ENTITY_ID>/providers/Microsoft.Authorization/roleAssignments/<ENTITY_ID>?api-version=2022-04-01",
      method: "PUT",
      data: {
        properties: {
          roleDefinitionId: "/subscriptions/<ENTITY_ID>/providers/Microsoft.Authorization/roleDefinitions/<ENTITY_ID>",
          principalId: "<ENTITY_ID>",
          principalType: "ServicePrincipal"
        }
      }
    }),
  });
  if (!response.ok) throw new Error(`Request failed: ${response.status}`);
  return response.json();
}
curl -X POST "https://api.example.com/api/v1/integrations/<ENTITY_ID>/execute" \
  -H "X-API-Key: <API_KEY>" \
  -H "X-Tenant-ID: <TENANT_ID>" \
  -H "Content-Type: application/json" \
  -d '{
    "operation": "send",
    "endpoint": "subscriptions/<ENTITY_ID>/providers/Microsoft.Authorization/roleAssignments/<ENTITY_ID>?api-version=2022-04-01",
    "method": "PUT",
    "data": {
      "properties": {
        "roleDefinitionId": "/subscriptions/<ENTITY_ID>/providers/Microsoft.Authorization/roleDefinitions/<ENTITY_ID>",
        "principalId": "<ENTITY_ID>",
        "principalType": "ServicePrincipal"
      }
    }
  }'
{
  "success": true,
  "data": {
    "message": "Azure RBAC operation completed successfully",
    "result": {
      "id": "/subscriptions/<ENTITY_ID>/providers/Microsoft.Authorization/roleAssignments/<ENTITY_ID>",
      "type": "Microsoft.Authorization/roleAssignments"
    }
  }
}

Retrieve RBAC data with receive

Use receive to list role assignments, role definitions, or managed identity resources for governance and audit workflows. Always include api-version and filter parameters that match the Azure endpoint you call.

const baseUrl = "https://api.example.com/api/v1";
const tenantId = "<TENANT_ID>";
const apiKey = "<API_KEY>";

async function listRoleAssignments(integrationId: string) {
  const response = await fetch(`${baseUrl}/integrations/${encodeURIComponent(integrationId)}/execute`, {
    method: "POST",
    headers: {
      "X-API-Key": apiKey,
      "X-Tenant-ID": tenantId,
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      operation: "receive",
      endpoint: "subscriptions/<ENTITY_ID>/providers/Microsoft.Authorization/roleAssignments",
      query: {
        "api-version": "2022-04-01",
        "filter": "principalId eq "<ENTITY_ID>""
      }
    }),
  });
  if (!response.ok) throw new Error(`Request failed: ${response.status}`);
  return response.json();
}
curl -X POST "https://api.example.com/api/v1/integrations/<ENTITY_ID>/execute" \
  -H "X-API-Key: <API_KEY>" \
  -H "X-Tenant-ID: <TENANT_ID>" \
  -H "Content-Type: application/json" \
  -d '{
    "operation": "receive",
    "endpoint": "subscriptions/<ENTITY_ID>/providers/Microsoft.Authorization/roleAssignments",
    "query": {
      "api-version": "2022-04-01",
      "$filter": "principalId eq '\''<ENTITY_ID>'\''"
    }
  }'
{
  "success": true,
  "data": {
    "message": "Azure RBAC data retrieved successfully",
    "assignment_count": 1,
    "items": [
      {
        "id": "/subscriptions/<ENTITY_ID>/providers/Microsoft.Authorization/roleAssignments/<ENTITY_ID>",
        "name": "<ENTITY_ID>",
        "type": "Microsoft.Authorization/roleAssignments"
      }
    ]
  }
}

When the ARM response includes a value array, the connector returns that array in data.items and sets data.assignment_count to its length. Otherwise it wraps the full decoded response as a single-element items array.

Call arbitrary ARM endpoints with execute

Use execute when you need an explicit HTTP method (default GET) and optional JSON body (body or data alias). Include api-version in the endpoint query string or as a separate query parameter on receive calls.

{
  "success": true,
  "data": {
    "message": "Azure RBAC method executed successfully",
    "result": {
      "value": []
    }
  }
}

Validate connectivity with test

Use test to confirm OAuth2 client-credentials token issuance and subscription-level ARM reachability before enabling scheduled automations. The probe lists role definitions under subscriptions/{subscription_id}/providers/Microsoft.Authorization/roleDefinitions.

{
  "success": true,
  "data": {
    "message": "Azure RBAC connection test successful",
    "details": {
      "tenant_id": "<TENANT_ID>",
      "subscription_id": "<ENTITY_ID>",
      "role_definitions_found": 42
    }
  }
}

Reliability and security guidance

Most failures are caused by missing service principal permissions, invalid identifiers, or Azure API throttling (429). Validate RBAC role grants for the app registration and apply retry with backoff for temporary throttling responses.

For secure operations, follow least-privilege RBAC assignment and audit changes through Azure Activity Logs. This helps keep access governance automation safe and traceable.

Additional resources