Merge pull request #313829 from rolyon/rolyon-abac-role-assignments-delete-feedback

prmerger-automator[bot] · web-flow · commit 3e6d058a58cd · 2026-03-30T21:11:36.000Z
[Azure RBAC] ABAC conditions and deleting role assignments
diff --git a/articles/role-based-access-control/conditions-authorization-actions-attributes.md b/articles/role-based-access-control/conditions-authorization-actions-attributes.md
@@ -6,7 +6,7 @@ manager: pmwongera
 ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: reference
-ms.date: 04/15/2024
+ms.date: 03/30/2026
 ms.author: rolyon
 #Customer intent: As a dev, devops, or it admin, I want to
 ---
@@ -19,6 +19,8 @@ This section lists the supported authorization actions you can target for condit
 
 ### Create or update role assignments
 
+Target this action to control permissions for creating or updating role assignments. This action applies to both adding new role assignments and updating existing role assignments.
+
 > [!div class="mx-tdCol2BreakAll"]
 > | Property | Value |
 > | --- | --- |
@@ -31,6 +33,8 @@ This section lists the supported authorization actions you can target for condit
 
 ### Delete a role assignment
 
+Target this action to control permissions for deleting role assignments. This action applies to removing existing role assignments.
+
 > [!div class="mx-tdCol2BreakAll"]
 > | Property | Value |
 > | --- | --- |
diff --git a/articles/role-based-access-control/delegate-role-assignments-overview.md b/articles/role-based-access-control/delegate-role-assignments-overview.md
@@ -6,7 +6,7 @@ manager: pmwongera
 ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: how-to
-ms.date: 08/29/2024
+ms.date: 03/30/2026
 ms.author: rolyon
 #Customer intent: As a dev, devops, or it admin, I want to delegate Azure role assignment management to other users who are closer to the decision, but want to limit the scope of the role assignments.
 ---
@@ -30,12 +30,12 @@ Here are some reasons why you might want to delegate role assignment management
     
 ## How you currently can delegate role assignment management
 
-The [Owner](built-in-roles.md#owner) and [User Access Administrator](built-in-roles.md#user-access-administrator) roles are built-in roles that allow users to create role assignments. Members of these roles can decide who can have write, read, and delete permissions for any resource in a subscription. To delegate role assignment management to another user, you can assign the Owner or User Access Administrator role to a user.
+The [Owner](built-in-roles.md#owner) and [User Access Administrator](built-in-roles.md#user-access-administrator) roles are built-in roles that allow users to create or delete role assignments. Members of these roles can decide who can have write, read, and delete permissions for any resource in a subscription. To delegate role assignment management to another user, you can assign the Owner or User Access Administrator role to a user.
 
 The following diagram shows how Alice can delegate role assignment responsibilities to Dara. For specific steps, see [Assign a user as an administrator of an Azure subscription](/azure/role-based-access-control/role-assignments-portal-subscription-admin).
 
 1. Alice assigns the User Access Administrator role to Dara.
-1. Dara can now assign any role to any user, group, or service principal at the same scope.
+1. Dara can now add (or remove) any role assignment for any user, group, or service principal at the same scope.
 
 :::image type="content" source="./media/delegate-role-assignments-overview/delegate-role-assignments-steps.png" alt-text="Diagram that shows an example where Dara can assign any role to any user." lightbox="./media/delegate-role-assignments-overview/delegate-role-assignments-steps.png":::
 
@@ -51,7 +51,7 @@ Instead of assigning the Owner or User Access Administrator roles, a more secure
 
 ## A more secure method: Delegate role assignment management with conditions
 
-Delegating role assignment management with conditions is a way to restrict the role assignments a user can create. In the preceding example, Alice can allow Dara to create some role assignments on her behalf, but not all role assignments. For example, Alice can constrain the roles that Dara can assign and constrain the principals that Dara can assign roles to. This delegation with conditions is sometimes referred to as *constrained delegation* and is implemented using [Azure attribute-based access control (Azure ABAC) conditions](conditions-overview.md).
+Delegating role assignment management with conditions is a way to restrict the role assignments a user can create or delete. In the preceding example, Alice can allow Dara to create (or delete) some role assignments on her behalf, but not all role assignments. For example, Alice can constrain the roles that Dara can assign, constrain the principals that Dara can assign roles to, and constrain the role assignments Dara can remove. This delegation with conditions is sometimes referred to as *constrained delegation* and is implemented using [Azure attribute-based access control (Azure ABAC) conditions](conditions-overview.md).
 
 This video provides an overview of delegating role assignment management with conditions.
 
@@ -62,17 +62,19 @@ This video provides an overview of delegating role assignment management with co
 Here are some reasons why delegating role assignment management to others with conditions is more secure:
 
 - You can restrict the role assignments the delegate is allowed to create.
+- You can restrict the role assignments the delegate is allowed to delete.
 - You can prevent a delegate from allowing another user to assign roles.
 - You can enforce compliance of your organization's policies of least privilege.
 - You can automate the management of Azure resources without having to grant full permissions to a service account.
 
 ## Conditions example
 
-Consider an example where Alice is an administrator with the User Access Administrator role for a subscription. Alice wants to grant Dara the ability to assign specific roles for specific groups. Alice doesn't want Dara to have any other role assignment permissions. The following diagram shows how Alice can delegate role assignment responsibilities to Dara with conditions.
+Consider an example where Alice is an administrator with the User Access Administrator role for a subscription. Alice wants to grant Dara the ability to assign specific roles for specific groups and remove specific role assignments. Alice doesn't want Dara to have any other role assignment permissions. The following diagram shows how Alice can delegate role assignment responsibilities to Dara with conditions.
 
-1. Alice assigns the Role Based Access Control Administrator role to Dara. Alice adds conditions so that Dara can only assign the Backup Contributor or Backup Reader roles to the Marketing and Sales groups.
-1. Dara can now assign the Backup Contributor or Backup Reader roles to the Marketing and Sales groups.
+1. Alice assigns the Role Based Access Control Administrator role to Dara. Alice adds conditions so that Dara can only add (or remove) Backup Contributor or Backup Reader role assignments to the Marketing and Sales groups.
+1. Dara can now add (or remove) Backup Contributor or Backup Reader role assignments to the Marketing and Sales groups.
 1. If Dara attempts to assign other roles or assign any roles to different principals (such as a user or managed identity), the role assignment fails.
+1. If Dara attempts to remove other role assignments or remove any role assignments from different principals (such as a user or managed identity), the removal fails.
 
 :::image type="content" source="./media/delegate-role-assignments-overview/delegate-role-assignments-conditions-steps.png" alt-text="Diagram that shows an example where Dara can only assign the Backup Contributor or Backup Reader roles to Marketing or Sales groups." lightbox="./media/delegate-role-assignments-overview/delegate-role-assignments-conditions-steps.png":::
 
@@ -91,18 +93,26 @@ Here are the ways that role assignments can be constrained with conditions. You
 
 - Constrain the **roles** that can be assigned
 
+    In this example, Dara can only assign (or remove) the Backup Contributor or Backup Reader roles.
+
     :::image type="content" source="./media/shared/roles-constrained.png" alt-text="Diagram of role assignments constrained to Backup Contributor and Backup Reader roles." lightbox="./media/shared/roles-constrained.png":::
 
 - Constrain the **roles** and **types of principals** (users, groups, or service principals) that can be assigned roles
 
+    In this example, Dara can only assign (or remove) the Backup Contributor or Backup Reader roles to user or group principal types.
+
     :::image type="content" source="./media/shared/principal-types-constrained.png" alt-text="Diagram of role assignments constrained to Backup Contributor or Backup Reader roles and user or group principal types." lightbox="./media/shared/principal-types-constrained.png":::
 
 - Constrain the **roles** and **specific principals** that can be assigned roles
 
+    In this example, Dara can only assign (or remove) the Backup Contributor or Backup Reader roles to the Marketing and Sales groups.
+
     :::image type="content" source="./media/shared/groups-constrained.png" alt-text="Diagram of role assignments constrained to Backup Contributor or Backup Reader roles and specific groups." lightbox="./media/shared/groups-constrained.png":::
 
 - Specify different conditions for the add and remove **role assignment actions**
 
+    In this example, Dara can only assign the Backup Contributor or Backup Reader roles. Dara can remove any role assignments.
+
     :::image type="content" source="./media/shared/actions-constrained.png" alt-text="Diagram of add and remove role assignments constrained to Backup Contributor or Backup Reader roles." lightbox="./media/shared/actions-constrained.png":::
 
 ## How to delegate role assignment management with conditions
@@ -112,6 +122,7 @@ To delegate role assignment management with conditions, you assign roles as you
 1. Determine the permissions the delegate needs
 
     - What roles can the delegate assign?
+    - What role assignments can the delegate remove?
     - What types of principals can the delegate assign roles to?
     - Which principals can the delegate assign roles to?
     - Can delegate remove any role assignments?
diff --git a/articles/role-based-access-control/delegate-role-assignments-portal.md b/articles/role-based-access-control/delegate-role-assignments-portal.md
@@ -6,7 +6,7 @@ manager: pmwongera
 ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: how-to
-ms.date: 04/15/2024
+ms.date: 03/30/2026
 ms.author: rolyon
 #Customer intent: As a dev, devops, or it admin, I want to delegate Azure role assignment management to other users who are closer to the decision, but want to limit the scope of the role assignments.
 ---
@@ -15,7 +15,7 @@ ms.author: rolyon
 
 As an administrator, you might get several requests to grant access to Azure resources that you want to delegate to someone else. You could assign a user the [Owner](built-in-roles.md#owner) or [User Access Administrator](built-in-roles.md#user-access-administrator) roles, but these are highly privileged roles. This article describes a more secure way to [delegate role assignment management](delegate-role-assignments-overview.md) to other users in your organization, but add restrictions for those role assignments. For example, you can constrain the roles that can be assigned or constrain the principals the roles can be assigned to.
 
-The following diagram shows how a delegate with conditions can only assign the Backup Contributor or Backup Reader roles to only the Marketing or Sales groups.
+The following diagram shows how a delegate with conditions can only assign (or remove) the Backup Contributor or Backup Reader roles to only the Marketing or Sales groups.
 
 :::image type="content" source="./media/delegate-role-assignments-portal/delegate-role-assignments.png" alt-text="Diagram that shows an administrator delegating role assignment management with conditions." lightbox="./media/delegate-role-assignments-portal/delegate-role-assignments.png":::
 
@@ -28,12 +28,15 @@ The following diagram shows how a delegate with conditions can only assign the B
 To help determine the permissions the delegate needs, answer the following questions:
 
 - What roles can the delegate assign?
+- What role assignments can the delegate remove?
 - What types of principals can the delegate assign roles to?
 - Which principals can the delegate assign roles to?
-- Can delegate remove any role assignments?
 
 Once you know the permissions that delegate needs, you use the following steps to add a condition to the delegate's role assignment. For example conditions, see [Examples to delegate Azure role assignment management with conditions](delegate-role-assignments-examples.md).
 
+> [!NOTE]
+> The conditions you add in these steps apply to assigning specific roles, but they also typically apply to removing role assignments for those same roles.
+
 ## Step 2: Start a new role assignment
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
@@ -70,10 +73,10 @@ There are two ways that you can add a condition. You can use a condition templat
 
     | Condition template | Select this template to |
     | --- | --- |
-    | Constrain roles | Allow user to only assign roles you select |
-    | Constrain roles and principal types | Allow user to only assign roles you select<br/>Allow user to only assign these roles to principal types you select (users, groups, or service principals) |
-    | Constrain roles and principals | Allow user to only assign roles you select<br/>Allow user to only assign these roles to principals you select |
-    | Allow all except specific roles | Allow user to assign all roles except the roles you select |
+    | [Constrain roles](delegate-role-assignments-examples.md#example-constrain-roles) | Allow user to only assign roles you select<br/>Allow user to only remove role assignments for the selected roles |
+    | [Constrain roles and principal types](delegate-role-assignments-examples.md#example-constrain-roles-and-principal-types) | Allow user to only assign roles you select<br/>Allow user to only assign these roles to principal types you select (users, groups, or service principals)<br/>Allow user to only remove role assignments for the selected roles and principal types |
+    | [Constrain roles and principals](delegate-role-assignments-examples.md#example-constrain-roles-and-specific-groups) | Allow user to only assign roles you select<br/>Allow user to only assign these roles to principals you select<br/>Allow user to only remove role assignments for the selected roles and principals |
+    | Allow all except specific roles | Allow user to assign all roles except the roles you select<br/>Allow user to remove role assignments for all roles except the selected roles |
 
 1. In the configure pane, add the required configurations.
 
diff --git a/articles/role-based-access-control/whats-new.md b/articles/role-based-access-control/whats-new.md
@@ -5,7 +5,7 @@ author: rolyon
 manager: pmwongera
 ms.service: role-based-access-control
 ms.topic: whats-new
-ms.date: 03/08/2026
+ms.date: 03/30/2026
 ms.author: rolyon
 
 ---
@@ -18,6 +18,7 @@ This article provides information about new features and documentation improveme
 
 | Date | Area | Description |
 | --- | --- | --- |
+| March 2026 | ABAC conditions | Added clarifications for conditions and deleting role assignments. See [Delegate Azure role assignment management to others with conditions](delegate-role-assignments-portal.md), [Delegate Azure access management to others](delegate-role-assignments-overview.md), and [Authorization actions and attributes](conditions-authorization-actions-attributes.md). |
 | March 2026 | Roles | Added [Compute Limit Operator](./built-in-roles/compute.md#compute-limit-operator) role. |
 | February 2026 | Roles and permissions | Updated permissions for several roles and resource providers. See [Azure built-in roles](built-in-roles.md) and [Azure permissions](resource-provider-operations.md). |
 | February 2026 | Classic administrators | Update steps to reflect that Azure Resource Graph will no longer list classic administrators. See [Azure classic subscription administrators](classic-administrators.md). |
