Role-based access control for Azure Batch service

Azure Batch Service supports a set of built-in Azure roles that provide different levels of permissions to Azure Batch account. By using Azure role-based access control (Azure RBAC), an authorization system for managing individual access to Azure resources, you could assign specific permissions to users, service principals, or other identities that need to interact with your Batch account. You can also assign custom roles with custom, fine-grained permissions that adapt your specific use scenario.

Note

All RBAC (both built-in and custom) roles are for users authenticated by Microsoft Entra ID, not for the Batch shared key credentials. The Batch shared key credentials give full permission to the Batch account.

Assign Azure RBAC

Follow these steps to assign an Azure RBAC role to a user, group, service principal, or managed identity. For detailed steps, see Assign Azure roles by using the Azure portal.

  1. In the Azure portal, navigate to your specific Batch account.

    Tip

    You can also set up Azure RBAC for whole resource groups, subscriptions, or management groups. Do this by selecting the desired scope level and then navigating to the desired item. For example, selecting Resource groups and then navigating to a specific resource group.

  2. Select Access control (IAM) from the left navigation.

  3. On the Access control (IAM) page, select Add role assignment.

  4. On the Add role assignment page, select the Role tab, and then select one of Azure Batch built-in RBAC roles.

  5. Select the Members tab, and select Select members under Members.

  6. On the Select members screen, search for and select a user, group, service principal, or managed identity, and then select Select.

    Note

    When configuring an application to authenticate Azure Batch services with service principal, search and select your application here to configure its access and permissions to the Azure Batch account.

  7. Select Review + assign on the Add role assignment page.

The target identity should now appear on the Role assignments tab of the Batch account's Access control (IAM) page.

Azure Batch built-in RBAC roles

Azure Batch has some predefined roles to address common user scenarios, ensuring appropriate access levels on Azure Batch account could be efficiently assigned to an identity for their specific duty.

Built-in role Description ID
Azure Batch Account Contributor Grants full access to manage all Batch resources, including Batch accounts, pools, and jobs. 29fe4964-1e60-436b-bd3a-77fd4c178b3c
Azure Batch Account Reader Lets you view all resources including pools and jobs in the Batch account. 11076f67-66f6-4be0-8f6b-f0609fd05cc9
Azure Batch Data Contributor Grants permissions to manage Batch pools and jobs but not to modify accounts. 6aaa78f1-f7de-44ca-8722-c64a23943cae
Azure Batch Job Submitter Lets you submit and manage jobs in the Batch account. 48e5e92e-a480-4e71-aa9c-2778f4c13781
Permissions Azure Batch Account Contributor Azure Batch Account Reader Azure Batch Data Contributor Azure Batch Job Submitter
List Batch accounts or view properties of a Batch account
Create, update or delete a Batch account
List access keys for a Batch account
Regenerate access keys for a Batch account
List or view properties of applications and application packages on a Batch account
Create, update or delete applications and application packages on a Batch account
List or view properties of certificates on a Batch account
Create, update or delete certificates on a Batch account
List or view properties of pools on a Batch account
Create, update or delete pools on a Batch account
List or view properties of jobs on a Batch account
Create, update or delete jobs on a Batch account
List or view properties of job schedules on a Batch account
Create, update or delete job schedules on a Batch account

Warning

The Batch account certificate feature has been retired.

Azure Batch Account Contributor

Grants full access to manage all Batch resources, including Batch accounts, pools, and jobs.

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments.
Microsoft.Insights/alertRules/* Create and manage a classic metric alert.
Microsoft.Resources/deployments/* Create and manage a deployment.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Batch/batchAccounts/*
NotActions
none
DataActions
Microsoft.Batch/batchAccounts/*
NotDataActions
none
{
    "assignableScopes": [
        "/"
    ],
    "description": "Grants full access to manage all Batch resources, including Batch accounts, pools and jobs.",
    "id": "/providers/Microsoft.Authorization/roleDefinitions/29fe4964-1e60-436b-bd3a-77fd4c178b3c",
    "permissions": [
        {
            "actions": [
                "Microsoft.Authorization/*/read",
                "Microsoft.Batch/batchAccounts/*",
                "Microsoft.Insights/alertRules/*",
                "Microsoft.Resources/deployments/*",
                "Microsoft.Resources/subscriptions/resourceGroups/read"
            ],
            "dataActions": [
                "Microsoft.Batch/batchAccounts/*"
            ],
            "notActions": [],
            "notDataActions": []
        }
    ],
    "roleName": "Azure Batch Account Contributor",
    "roleType": "BuiltInRole",
    "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Batch Account Reader

Lets you view all resources including pools and jobs in the Batch account.

Actions Description
Microsoft.Batch/batchAccounts/read Lists Batch accounts or gets the properties of a Batch account.
Microsoft.Batch/batchAccounts/*/read View all resources in Batch account.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
NotActions
none
DataActions
Microsoft.Batch/*/read View all resources in Batch account.
NotDataActions
none
{
    "assignableScopes": [
        "/"
    ],
    "description": "Lets you view all resources including pools and jobs in the Batch account.",
    "id": "/providers/Microsoft.Authorization/roleDefinitions/11076f67-66f6-4be0-8f6b-f0609fd05cc9",
    "permissions": [
        {
            "actions": [
                "Microsoft.Batch/batchAccounts/read",
                "Microsoft.Batch/batchAccounts/*/read",
                "Microsoft.Resources/subscriptions/resourceGroups/read"
            ],
            "dataActions": [
                "Microsoft.Batch/batchAccounts/*/read"
            ],
            "notActions": [],
            "notDataActions": []
        }
    ],
    "roleName": "Azure Batch Account Reader",
    "roleType": "BuiltInRole",
    "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Batch Data Contributor

Grants permissions to manage Batch pools and jobs but not to modify accounts.

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments.
Microsoft.Batch/batchAccounts/read Lists Batch accounts or gets the properties of a Batch account.
Microsoft.Batch/batchAccounts/applications/* Create and manage applications and application packages on a Batch account.
Microsoft.Batch/batchAccounts/certificates/* Create and manage certificates on a Batch account.
Microsoft.Batch/batchAccounts/certificateOperationResults/* Gets the results of a long running certificate operation on a Batch account.
Microsoft.Batch/pools/* Create and manage pools on a Batch account.
Microsoft.Batch/poolOperationResults/* Gets the results of a long running pool operation on a Batch account.
Microsoft.Batch/locations/*/read Get Batch account operation result/Batch quota/supported VM size at the given location.
Microsoft.Insights/alertRules/* Create and manage a classic metric alert.
Microsoft.Resources/deployments/* Create and manage a deployment.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
NotActions
none
DataActions
Microsoft.Batch/batchAccounts/jobSchedules/* Create and manage job schedules on a Batch account.
Microsoft.Batch/batchAccounts/jobs/* Create and manage jobs on a Batch account.
NotDataActions
none
{
    "assignableScopes": [
        "/"
    ],
    "description": "Grants permissions to manage Batch pools and jobs but not to modify accounts.",
    "id": "/providers/Microsoft.Authorization/roleDefinitions/6aaa78f1-f7de-44ca-8722-c64a23943cae",
    "permissions": [
        {
            "actions": [
                "Microsoft.Authorization/*/read",
                "Microsoft.Batch/batchAccounts/read",
                "Microsoft.Batch/batchAccounts/applications/*",
                "Microsoft.Batch/batchAccounts/certificates/*",
                "Microsoft.Batch/batchAccounts/certificateOperationResults/*",
                "Microsoft.Batch/batchAccounts/pools/*",
                "Microsoft.Batch/batchAccounts/poolOperationResults/*",
                "Microsoft.Batch/locations/*/read",
                "Microsoft.Insights/alertRules/*",
                "Microsoft.Resources/deployments/*",
                "Microsoft.Resources/subscriptions/resourceGroups/read"
            ],
            "dataActions": [
                "Microsoft.Batch/batchAccounts/jobSchedules/*",
                "Microsoft.Batch/batchAccounts/jobs/*"
            ],
            "notActions": [],
            "notDataActions": []
        }
    ],
    "roleName": "Azure Batch Data Contributor",
    "roleType": "BuiltInRole",
    "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Batch Job Submitter

Lets you submit and manage jobs in the Batch account.

Actions Description
Microsoft.Batch/batchAccounts/applications/read Lists applications or gets the properties of an application.
Microsoft.Batch/batchAccounts/applications/versions/read Gets the properties of an application package.
Microsoft.Batch/pools/read Lists pools on a Batch account or gets the properties of a pool.
Microsoft.Insights/alertRules/* Create and manage a classic metric alert.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
NotActions
none
DataActions
Microsoft.Batch/batchAccounts/jobSchedules/* Create and manage job schedules on a Batch account.
Microsoft.Batch/batchAccounts/jobs/* Create and manage jobs on a Batch account.
NotDataActions
none
{
    "assignableScopes": [
        "/"
    ],
    "description": "Lets you submit and manage jobs in the Batch account.",
    "id": "/providers/Microsoft.Authorization/roleDefinitions/48e5e92e-a480-4e71-aa9c-2778f4c13781",
    "permissions": [
        {
            "actions": [
                "Microsoft.Batch/batchAccounts/applications/read",
                "Microsoft.Batch/batchAccounts/applications/versions/read",
                "Microsoft.Batch/batchAccounts/pools/read",
                "Microsoft.Insights/alertRules/*",
                "Microsoft.Resources/subscriptions/resourceGroups/read"
            ],
            "dataActions": [
                "Microsoft.Batch/batchAccounts/jobSchedules/*",
                "Microsoft.Batch/batchAccounts/jobs/*"
            ],
            "notActions": [],
            "notDataActions": []
        }
    ],
    "roleName": "Azure Batch Job Submitter",
    "roleType": "BuiltInRole",
    "type": "Microsoft.Authorization/roleDefinitions"
}

Assign a custom role

If Azure Batch built-in roles don't meet your needs, Azure custom roles could be used to grant granular permission to a user for submitting jobs, tasks, and more. You can use a custom role to grant or deny permissions to a Microsoft Entra ID for the following Azure Batch RBAC operations.

  • Microsoft.Batch/batchAccounts/pools/write
  • Microsoft.Batch/batchAccounts/pools/delete
  • Microsoft.Batch/batchAccounts/pools/read
  • Microsoft.Batch/batchAccounts/jobSchedules/write
  • Microsoft.Batch/batchAccounts/jobSchedules/delete
  • Microsoft.Batch/batchAccounts/jobSchedules/read
  • Microsoft.Batch/batchAccounts/jobs/write
  • Microsoft.Batch/batchAccounts/jobs/delete
  • Microsoft.Batch/batchAccounts/jobs/read
  • Microsoft.Batch/batchAccounts/certificates/write
  • Microsoft.Batch/batchAccounts/certificates/delete
  • Microsoft.Batch/batchAccounts/certificates/read
  • Microsoft.Batch/batchAccounts/applications/write
  • Microsoft.Batch/batchAccounts/applications/delete
  • Microsoft.Batch/batchAccounts/applications/read
  • Microsoft.Batch/batchAccounts/applications/versions/write
  • Microsoft.Batch/batchAccounts/applications/versions/delete
  • Microsoft.Batch/batchAccounts/applications/versions/read
  • Microsoft.Batch/batchAccounts/read, for any read operation
  • Microsoft.Batch/batchAccounts/listKeys/action, for any operation

Tip

Jobs that use autopool require pool-level write permissions.

Note

Certain role assignments need to be specified in the actions field, whereas others need to be specified in the dataActions field. You need to examine both actions and dataActions to understand the full scope of capabilities assigned to a role. For more information, see Azure resource provider operations.

The following example shows an Azure Batch custom role definition:

{
 "properties":{
    "roleName":"Azure Batch Custom Job Submitter",
    "type":"CustomRole",
    "description":"Allows a user to submit autopool jobs to Azure Batch",
    "assignableScopes":[
      "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"
    ],
    "permissions":[
      {
        "actions":[
          "Microsoft.Batch/*/read",
          "Microsoft.Batch/batchAccounts/pools/write",
          "Microsoft.Batch/batchAccounts/pools/delete",
          "Microsoft.Authorization/*/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Support/*",
          "Microsoft.Insights/alertRules/*"
        ],
        "notActions":[

        ],
        "dataActions":[
          "Microsoft.Batch/batchAccounts/jobs/*",
          "Microsoft.Batch/batchAccounts/jobSchedules/*"
        ],
        "notDataActions":[

        ]
      }
    ]
  }
}

Next steps