This document defines an enterprise-ready RBAC (Role-Based Access Control) model for Azure AI Landing Zone. It covers personas, environments, role mappings across AI/data/hosting/security services, custom roles, automation identities, governance guardrails, and operational workflows. The model follows Least Privilege, Segregation of Duties (SoD), and Environment-Aware Access principles.
Governance Principles
- Least Privilege: Grant only the permissions required for each role.
- Segregation of Duties (SoD): Separate responsibilities for build, deploy, operate, and secure.
- Environment Guardrails:
-
- Dev → open for experimentation.
-
- Nonprod → controlled integration and validation.
-
- Prod → no human write, CI/CD only, with Just-in-Time (PIM) access for exceptions.
- Identity Strategy:
-
- Managed Identities for workloads.
-
- Service Principals for pipelines.
-
- PIM for human elevation.
-
- Break-glass accounts for emergencies only.
Key Benefits
- Strong security aligned to enterprise & regulatory needs.
- Clear accountability by persona and environment.
- Consistency between control-plane and data-plane access.
- Built-in operational guardrails (cost, security, compliance).
Service List
|
Service |
Resource Type |
|
Azure ML (Workspace) |
Microsoft.MachineLearningServices/workspaces |
|
Azure AI Search |
Microsoft.Search/searchServices |
|
Azure AI Services / OpenAI |
Microsoft.CognitiveServices/accounts |
|
Azure Kubernetes Service |
Microsoft.ContainerService/managedClusters |
|
Azure App Service (Web/Functions) |
Microsoft.Web/sites |
|
Azure API Management |
Microsoft.ApiManagement/service |
|
Azure Container Apps |
Microsoft.App/containerApps |
|
Azure Cosmos DB |
Microsoft.DocumentDB/databaseAccounts |
|
Azure SQL (DB) |
Microsoft.Sql/servers/databases |
|
Azure SQL (Managed Instance) |
Microsoft.Sql/managedInstances |
|
MySQL Flexible Server |
Microsoft.DBforMySQL/flexibleServers |
|
PostgreSQL Flexible Server |
Microsoft.DBforPostgreSQL/flexibleServers |
|
AI Foundry |
Microsoft.MachineLearningServices/aiFoundry (as applicable) |
|
Storage Accounts |
Microsoft.Storage/storageAccounts |
Key Personas
|
Persona |
Key Responsibilities |
Access Posture |
|
Data Scientist (DS) |
Explore data, experiment, train models, contribute to notebooks/pipelines. |
Control-plane Reader in Prod; Contributor in Dev; limited in Nonprod. Data-plane write in lower environments. |
|
Machine Learning Engineer (MLE) |
Productionize training/inference pipelines, optimize compute, manage MLOps patterns. |
Contributor in Dev/Nonprod for AI and hosting resources; Reader in Prod; Prod changes via CI/CD. |
|
AI Engineer (AIE) |
Build AI apps and services (prompt flows, APIs, embeddings, vector search), integrate models into apps. |
Contributor to App/API/AI services in lower environments; Reader in Prod; uses pipeline identities for Prod deploys. |
|
Machine Learning Operator (ML Operator) |
Operate ML workloads: runbooks, trigger jobs, monitor health, rollback. |
Limited Contributor in lower environments; Monitoring + Trigger in Prod. |
|
MLOps / DevOps |
Own CI/CD pipelines, infrastructure as code, promotion workflows. |
Contributor in all environments via pipeline identities; human access is Reader/Monitoring except break-glass. |
|
Operations (Ops) |
Enterprise operations, observability, incident response, dashboards. |
Monitoring Contributor in Prod; Viewer elsewhere. |
|
Subscription Owner |
Platform ownership, billing, policy, and overall governance. |
Owner at subscription or MG scope; limited human usage, prefer ADO/Automation for changes. |
|
Security & Compliance (Optional) |
Policy authoring, threat protection, compliance monitoring. |
Security Reader/TI roles; no data-plane write access. |
Environments & Guardrails
|
Environment |
Purpose |
Human Access |
Pipeline Access |
Guardrails |
|
Dev |
Experimentation & rapid iteration |
DS/MLE/AIE: Contributor |
Full (IaC encouraged) |
No PII, cost quotas, dev SKUs |
|
Nonprod |
Integration, pre-prod validation |
MLE/AIE: Contributor; DS: Reader |
Full (gates/approvals) |
Policies, private endpoints, CMK where needed |
|
Prod |
Production workloads |
Reader/Monitoring only |
Full (mandatory) |
PIM JIT, break-glass, Defender for Cloud, activity log alerts |
Personas vs Environments
The following table provides a heatmap of access levels across environments.
|
Persona |
Dev |
Nonprod |
Prod |
|
Data Scientist |
Full Contributor |
Limited Dev |
Reader Only |
|
ML Engineer |
Full Contributor |
Contributor |
Reader Only |
|
AI Engineer |
Contributor |
Contributor |
Reader Only |
|
ML Operator |
Limited Contributor |
Limited Contributor |
Monitoring + Trigger Only |
|
MLOps |
Viewer |
Viewer |
Contributor (CICD only) |
|
Operations |
None |
Viewer |
Monitoring Contributor |
|
Subscription Owner |
Owner |
Owner |
Owner |
This table maps resource categories with typical roles per persona.
|
Resource Category |
Data Scientist |
ML Engineer |
AI Engineer |
MLOps |
Operations |
|
AI Services |
Contributor |
Contributor |
Contributor |
Contributor (automation) |
Reader |
|
Data & Storage |
Contributor (Dev/Nonprod), Reader (Prod) |
Contributor |
Contributor |
Contributor |
Reader |
|
Application Hosting |
Reader |
Contributor |
Contributor |
Contributor |
Reader |
|
Monitoring & Security |
Reader |
Reader |
Reader |
Contributor |
Contributor |
Access Intensity (Contributor = 🟢, Reader = 🟡, Restricted = 🔴)
This layered flow ensures clarity of access rights from personas down to specific Azure resources.
|
Persona \ Env |
Dev |
Nonprod |
Prod |
|
Data Scientist |
🟢 Full Contributor |
🟡 Limited Dev |
🔴 Reader Only |
|
ML Engineer |
🟢 Full Contributor |
🟢 Contributor |
🔴 Reader Only |
|
ML Operator |
🟡 Limited Contributor |
🟡 Limited Contributor |
🟡 Monitoring + Trigger Only |
|
MLOps |
🟡 Viewer |
🟡 Viewer |
🟢 Contributor (CICD only) |
|
Operations |
🔴 None |
🟡 Viewer |
🟢 Monitoring Contributor |
|
Subscription Owner |
🟢 Owner |
🟢 Owner |
🟢 Owner |
Access Workflows
Access request → Approval (manager + data owner) → PIM activation (JIT) → Time-bound assignment → Periodic recertification.
|
Workflow |
Tooling |
Control |
|
Role request |
ITSM / Access Package (Entra ID) |
Approval + auto-expiry |
|
Prod deployment |
ADO/GitHub Actions + Terraform/Bicep |
Policy + approvals + change tickets |
|
Emergency access |
PIM + break-glass |
Audit + post-incident review |
Role Mapping
Servicebyservice RBAC matrix (by persona & environment)
Legend: L (Dev), N (NonProd), V (Prod) — apply least privilege in V with CI/CDonly changes. Where dataplane RBAC exists, use it over keys.
- Azure AI Foundry & Azure OpenAI
|
Persona |
Scope |
Roles |
|
Platform (L/N/V) |
Foundry Account |
Azure AI Account Owner (platform team only) [Role-based...oundry ...] |
|
Project leads (L/N) |
Foundry Project |
Azure AI Project Manager [Role-based...oundry ...] |
|
DS/MLE (L/N) |
Foundry Project |
Azure AI User [Role-based...oundry ...] |
|
App/Service MI (L/N/V) |
OpenAI resource |
Cognitive Services OpenAI User (inference), or Contributor (if managing deployments) [Role-based...soft Learn] |
|
FinOps/Quota (N/V) |
Subscription |
Cognitive Services Usages Reader (quota visibility) [Permission...ure OpenAI] |
- Azure Machine Learning (Hub/Project)
|
Persona |
Scope |
Roles |
|
DS (L/N) |
AML workspace |
AzureML Data Scientist; optional Compute Operator for managed compute [Azure IAM-...902_041509] |
|
MLE (N/V) |
AML workspace |
AzureML Data Scientist + Compute Operator; Key Vault/Storage data roles as needed [Azure IAM-...902_041509] |
|
MLOps (V) |
RG/Workspace |
Reader/Monitoring Reader/Contributor (minimal), CI/CD principal does deployments [Azure IAM-...902_041509] |
- Azure AI Search
|
Persona |
Scope |
Roles |
|
Search admin (L/N) |
Search resource |
Search Service Contributor (manage service) [Connect us...soft Learn] |
|
Indexer app/MI (N/V) |
Search data plane |
Search Index Data Contributor (index mgmt, writes) [Connect us...soft Learn] |
|
Query app/MI (N/V) |
Search data plane |
Search Index Data Reader (queries) [Connect us...soft Learn] |
- AKS (Kubernetes)
|
Persona |
Scope |
Roles / Guidance |
|
Platform (cluster ops) |
AKS resource |
Contributor to manage cluster; use Azure RBAC for K8s with Entra integration for K8s authorization. [Use Azure...ervice ...] |
|
Cluster admin |
AKS resource |
Azure Kubernetes Service Cluster Admin Role — only to retrieve admin creds (not daytoday). Combine with K8s RBAC. [Understand...nma's Blog] |
|
Developers |
AKS resource + K8s |
AKS Cluster User Role to fetch user creds + Kubernetes RBAC (Role/RoleBinding) per namespace. [Access and...vice (AKS)] |
- App Service / Function Apps
|
Persona |
Scope |
Roles |
|
App team (L/N) |
Web App / Function App |
Contributor (resourcelevel); App Insights Reader for telemetry. [Azure buil...soft Learn] |
|
Operators (V) |
RG |
Reader + Monitoring Reader; deployments via CI/CD MI only. [Azure buil...soft Learn] |
- API Management (APIM)
|
Persona |
Scope |
Roles |
|
API owner (L/N) |
APIM service |
API Management Service Contributor (full CRUD on entities) [How to use...Management] |
|
APIM ops (V) |
APIM service |
API Management Service Operator (manage service infra, not entities) [How to use...Management] |
|
Viewonly |
APIM service |
API Management Service Reader [How to use...Management] |
- Container Apps
|
Persona |
Scope |
Roles |
|
App platform (L/N) |
RG/Env |
Container Apps Contributor (manage apps/jobs/environments) [Container...e34c199c0f] |
|
Ops / SRE |
App |
Container Apps Operator (read/logstream/exec) [Container...11d331232c] |
- Cosmos DB
|
Persona |
Scope |
Roles |
|
Platform (control plane) |
Cosmos account |
Cosmos DB Operator (manage account, not data) / Contributor as needed [Azure buil...soft Learn] |
|
App/MI (data plane) |
Cosmos data |
Cosmos DB Builtin Data Reader/Contributor (native dataplane RBAC). Required permission …/readMetadata. [Use data p...for NoSQL], [Data plane...DB for ...] |
Tip: Disable local (keybased) auth and use Entra + MI for dataplane. [Use data p...for NoSQL]
- Azure SQL
|
Persona |
Scope |
Roles / Notes |
|
Platform |
SQL Managed Instance |
SQL Managed Instance Contributor (control plane) — DB auth is separate at SQL level. [Azure buil...soft Learn] |
|
Platform |
SQL server/database |
SQL DB Contributor / SQL Server Contributor (control plane); DB roles handled inside SQL. [Create & m...L Database] |
- MySQL/PostgreSQL – Flexible Server
|
Persona |
Scope |
Roles / Notes |
|
Platform |
MySQL/Postgres server |
Use Contributor at the resource scope; database users/roles are managed inside the engine (e.g., azure_pg_admin for Postgres). There are no specialized Azure RBAC roles for MySQL/Postgres. [Role to ex...le server.], [Manage Use...soft Learn] |
Custom Roles (Samples)
- AI Booster Operations User – publish dashboards without resource modification
{
"Name": "AI Booster Operations User",
"IsCustom": true,
"Description": "Publish/update Azure Portal dashboards and view monitoring.",
"Actions": [
"Microsoft.Portal/dashboards/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/resources/read",
"Microsoft.Insights/*/read",
"Microsoft.OperationalInsights/*/read"
],
"NotActions": [
"Microsoft.Resources/deployments/*",
"Microsoft.Insights/ActionGroups/Delete"
],
"DataActions": [],
"NotDataActions": []
}
- OpenAI Inference User – restrict to using deployed models only
{
"Name": "OpenAI Inference User",
"IsCustom": true,
"Description": "Allows invoke/use of OpenAI deployments without managing the resource.",
"Actions": [
"Microsoft.CognitiveServices/accounts/read"
],
"NotActions": [],
"DataActions": [
"Microsoft.CognitiveServices/accounts/OpenAI/*/read",
"Microsoft.CognitiveServices/accounts/OpenAI/*/action"
],
"NotDataActions": []
}
- AzureML Limited Compute Operator – operate compute, not modify workspace
{
"Name": "AzureML Limited Compute Operator",
"IsCustom": true,
"Description": "Operate ML compute (start/stop/attach/detach) without workspace admin actions.",
"Actions": [
"Microsoft.MachineLearningServices/workspaces/read",
"Microsoft.MachineLearningServices/workspaces/computes/*/read",
"Microsoft.MachineLearningServices/workspaces/computes/*/action"
],
"NotActions": [
"Microsoft.MachineLearningServices/workspaces/delete",
"Microsoft.MachineLearningServices/workspaces/update"
],
"DataActions": [],
"NotDataActions": []
}
Identities & Automation
|
Identity |
Usage |
Scope |
Notes |
|
Managed Identity (User-assigned) |
Workload runtime (AML jobs, Functions, Container Apps) |
Resource Group / Resource |
Preferred for prod workloads, use in Key Vault access policies via RBAC |
|
Service Principal (CI/CD) |
Pipelines and promotions |
Subscription / RG / Resource |
Limit to deployment scopes; rotate secrets; consider Federated Identity Credentials |
|
Break-glass Accounts |
Emergency only |
Tenant/Subscription |
Exclude from MFA CA policies appropriately; store in vault; strict monitoring |
|
PIM (Just-in-Time) |
Human elevation |
Subscription/RG |
Approval, MFA, time-bound, reason required |
Suggested Entra ID Group Names
Persona Mapping with Group Name
For each persona and environment, both short and long naming conventions are suggested.
Short = simple, role-based (good for smaller orgs).
Long = structured, project + env scoped (good for enterprise scale).
|
Persona |
Environment |
Short Group Name |
Long Group Name |
|
Data Scientist |
Dev |
ai-data-dev |
grp-ai-data-<project>-dev |
|
Data Scientist |
Nonprod |
ai-data-nonprod |
grp-ai-data-<project>-nonprod |
|
Data Scientist |
Prod |
ai-data-prod |
grp-ai-data-<project>-prod |
|
ML Engineer |
Dev |
ai-ml-dev |
grp-ai-ml-<project>-dev |
|
ML Engineer |
Nonprod |
ai-ml-nonprod |
grp-ai-ml-<project>-nonprod |
|
ML Engineer |
Prod |
ai-ml-prod |
grp-ai-ml-<project>-prod |
|
AI Engineer |
Dev |
ai-ai-dev |
grp-ai-ai-<project>-dev |
|
AI Engineer |
Nonprod |
ai-ai-nonprod |
grp-ai-ai-<project>-nonprod |
|
AI Engineer |
Prod |
ai-ai-prod |
grp-ai-ai-<project>-prod |
|
ML Operator |
Dev |
ai-ml-dev |
grp-ai-ml-<project>-dev |
|
ML Operator |
Nonprod |
ai-ml-nonprod |
grp-ai-ml-<project>-nonprod |
|
ML Operator |
Prod |
ai-ml-prod |
grp-ai-ml-<project>-prod |
|
MLOps |
Dev |
ai-mlops-dev |
grp-ai-mlops-<project>-dev |
|
MLOps |
Nonprod |
ai-mlops-nonprod |
grp-ai-mlops-<project>-nonprod |
|
MLOps |
Prod |
ai-mlops-prod |
grp-ai-mlops-<project>-prod |
|
Operations |
Dev |
ai-operations-dev |
grp-ai-operations-<project>-dev |
|
Operations |
Nonprod |
ai-operations-nonprod |
grp-ai-operations-<project>-nonprod |
|
Operations |
Prod |
ai-operations-prod |
grp-ai-operations-<project>-prod |
|
Subscription Owner |
Dev |
ai-subscription-dev |
grp-ai-subscription-<project>-dev |
|
Subscription Owner |
Nonprod |
ai-subscription-nonprod |
grp-ai-subscription-<project>-nonprod |
|
Subscription Owner |
Prod |
ai-subscription-prod |
grp-ai-subscription-<project>-prod |
Service Role Mapping with Group Names
Each service role mapping now includes suggested short and long Entra ID group names.
|
Service |
Resource Type |
Persona |
Short Group |
Long Group |
|
Azure ML (Workspace) |
Microsoft.MachineLearningServices/workspaces |
DS |
ai-ds-dev |
grp-ai-ds-<project>-dev |
|
Azure ML (Workspace) |
Microsoft.MachineLearningServices/workspaces |
MLE |
ai-mle-dev |
grp-ai-mle-<project>-dev |
|
Azure ML (Workspace) |
Microsoft.MachineLearningServices/workspaces |
AIE |
ai-aie-dev |
grp-ai-aie-<project>-dev |
|
Azure ML (Workspace) |
Microsoft.MachineLearningServices/workspaces |
MLOps |
ai-mlops-dev |
grp-ai-mlops-<project>-dev |
|
Azure ML (Workspace) |
Microsoft.MachineLearningServices/workspaces |
Ops |
ai-ops-dev |
grp-ai-ops-<project>-dev |
|
Azure AI Search |
Microsoft.Search/searchServices |
DS |
ai-ds-dev |
grp-ai-ds-<project>-dev |
|
Azure AI Search |
Microsoft.Search/searchServices |
MLE |
ai-mle-dev |
grp-ai-mle-<project>-dev |
|
Azure AI Search |
Microsoft.Search/searchServices |
AIE |
ai-aie-dev |
grp-ai-aie-<project>-dev |
|
Azure AI Search |
Microsoft.Search/searchServices |
MLOps |
ai-mlops-dev |
grp-ai-mlops-<project>-dev |
|
Azure AI Search |
Microsoft.Search/searchServices |
Ops |
ai-ops-dev |
grp-ai-ops-<project>-dev |
|
Azure AI Services / OpenAI |
Microsoft.CognitiveServices/accounts |
DS |
ai-ds-dev |
grp-ai-ds-<project>-dev |
|
Azure AI Services / OpenAI |
Microsoft.CognitiveServices/accounts |
MLE |
ai-mle-dev |
grp-ai-mle-<project>-dev |
|
Azure AI Services / OpenAI |
Microsoft.CognitiveServices/accounts |
AIE |
ai-aie-dev |
grp-ai-aie-<project>-dev |
|
Azure AI Services / OpenAI |
Microsoft.CognitiveServices/accounts |
MLOps |
ai-mlops-dev |
grp-ai-mlops-<project>-dev |
|
Azure AI Services / OpenAI |
Microsoft.CognitiveServices/accounts |
Ops |
ai-ops-dev |
grp-ai-ops-<project>-dev |
|
Azure Kubernetes Service |
Microsoft.ContainerService/managedClusters |
DS |
ai-ds-dev |
grp-ai-ds-<project>-dev |
|
Azure Kubernetes Service |
Microsoft.ContainerService/managedClusters |
MLE |
ai-mle-dev |
grp-ai-mle-<project>-dev |
|
Azure Kubernetes Service |
Microsoft.ContainerService/managedClusters |
AIE |
ai-aie-dev |
grp-ai-aie-<project>-dev |
|
Azure Kubernetes Service |
Microsoft.ContainerService/managedClusters |
MLOps |
ai-mlops-dev |
grp-ai-mlops-<project>-dev |
|
Azure Kubernetes Service |
Microsoft.ContainerService/managedClusters |
Ops |
ai-ops-dev |
grp-ai-ops-<project>-dev |
|
Azure App Service (Web/Functions) |
Microsoft.Web/sites |
DS |
ai-ds-dev |
grp-ai-ds-<project>-dev |
|
Azure App Service (Web/Functions) |
Microsoft.Web/sites |
MLE |
ai-mle-dev |
grp-ai-mle-<project>-dev |
|
Azure App Service (Web/Functions) |
Microsoft.Web/sites |
AIE |
ai-aie-dev |
grp-ai-aie-<project>-dev |
|
Azure App Service (Web/Functions) |
Microsoft.Web/sites |
MLOps |
ai-mlops-dev |
grp-ai-mlops-<project>-dev |
|
Azure App Service (Web/Functions) |
Microsoft.Web/sites |
Ops |
ai-ops-dev |
grp-ai-ops-<project>-dev |
|
Azure API Management |
Microsoft.ApiManagement/service |
DS |
ai-ds-dev |
grp-ai-ds-<project>-dev |
|
Azure API Management |
Microsoft.ApiManagement/service |
MLE |
ai-mle-dev |
grp-ai-mle-<project>-dev |
|
Azure API Management |
Microsoft.ApiManagement/service |
AIE |
ai-aie-dev |
grp-ai-aie-<project>-dev |
|
Azure API Management |
Microsoft.ApiManagement/service |
MLOps |
ai-mlops-dev |
grp-ai-mlops-<project>-dev |
|
Azure API Management |
Microsoft.ApiManagement/service |
Ops |
ai-ops-dev |
grp-ai-ops-<project>-dev |
|
Azure Container Apps |
Microsoft.App/containerApps |
DS |
ai-ds-dev |
grp-ai-ds-<project>-dev |
|
Azure Container Apps |
Microsoft.App/containerApps |
MLE |
ai-mle-dev |
grp-ai-mle-<project>-dev |
|
Azure Container Apps |
Microsoft.App/containerApps |
AIE |
ai-aie-dev |
grp-ai-aie-<project>-dev |
|
Azure Container Apps |
Microsoft.App/containerApps |
MLOps |
ai-mlops-dev |
grp-ai-mlops-<project>-dev |
|
Azure Container Apps |
Microsoft.App/containerApps |
Ops |
ai-ops-dev |
grp-ai-ops-<project>-dev |
|
Azure Cosmos DB |
Microsoft.DocumentDB/databaseAccounts |
DS |
ai-ds-dev |
grp-ai-ds-<project>-dev |
|
Azure Cosmos DB |
Microsoft.DocumentDB/databaseAccounts |
MLE |
ai-mle-dev |
grp-ai-mle-<project>-dev |
|
Azure Cosmos DB |
Microsoft.DocumentDB/databaseAccounts |
AIE |
ai-aie-dev |
grp-ai-aie-<project>-dev |
|
Azure Cosmos DB |
Microsoft.DocumentDB/databaseAccounts |
MLOps |
ai-mlops-dev |
grp-ai-mlops-<project>-dev |
|
Azure Cosmos DB |
Microsoft.DocumentDB/databaseAccounts |
Ops |
ai-ops-dev |
grp-ai-ops-<project>-dev |
|
Azure SQL (DB) |
Microsoft.Sql/servers/databases |
DS |
ai-ds-dev |
grp-ai-ds-<project>-dev |
|
Azure SQL (DB) |
Microsoft.Sql/servers/databases |
MLE |
ai-mle-dev |
grp-ai-mle-<project>-dev |
|
Azure SQL (DB) |
Microsoft.Sql/servers/databases |
AIE |
ai-aie-dev |
grp-ai-aie-<project>-dev |
|
Azure SQL (DB) |
Microsoft.Sql/servers/databases |
MLOps |
ai-mlops-dev |
grp-ai-mlops-<project>-dev |
|
Azure SQL (DB) |
Microsoft.Sql/servers/databases |
Ops |
ai-ops-dev |
grp-ai-ops-<project>-dev |
|
Azure SQL (Managed Instance) |
Microsoft.Sql/managedInstances |
DS |
ai-ds-dev |
grp-ai-ds-<project>-dev |
|
Azure SQL (Managed Instance) |
Microsoft.Sql/managedInstances |
MLE |
ai-mle-dev |
grp-ai-mle-<project>-dev |
|
Azure SQL (Managed Instance) |
Microsoft.Sql/managedInstances |
AIE |
ai-aie-dev |
grp-ai-aie-<project>-dev |
|
Azure SQL (Managed Instance) |
Microsoft.Sql/managedInstances |
MLOps |
ai-mlops-dev |
grp-ai-mlops-<project>-dev |
|
Azure SQL (Managed Instance) |
Microsoft.Sql/managedInstances |
Ops |
ai-ops-dev |
grp-ai-ops-<project>-dev |
|
MySQL Flexible Server |
Microsoft.DBforMySQL/flexibleServers |
DS |
ai-ds-dev |
grp-ai-ds-<project>-dev |
|
MySQL Flexible Server |
Microsoft.DBforMySQL/flexibleServers |
MLE |
ai-mle-dev |
grp-ai-mle-<project>-dev |
|
MySQL Flexible Server |
Microsoft.DBforMySQL/flexibleServers |
AIE |
ai-aie-dev |
grp-ai-aie-<project>-dev |
|
MySQL Flexible Server |
Microsoft.DBforMySQL/flexibleServers |
MLOps |
ai-mlops-dev |
grp-ai-mlops-<project>-dev |
|
MySQL Flexible Server |
Microsoft.DBforMySQL/flexibleServers |
Ops |
ai-ops-dev |
grp-ai-ops-<project>-dev |
|
PostgreSQL Flexible Server |
Microsoft.DBforPostgreSQL/flexibleServers |
DS |
ai-ds-dev |
grp-ai-ds-<project>-dev |
|
PostgreSQL Flexible Server |
Microsoft.DBforPostgreSQL/flexibleServers |
MLE |
ai-mle-dev |
grp-ai-mle-<project>-dev |
|
PostgreSQL Flexible Server |
Microsoft.DBforPostgreSQL/flexibleServers |
AIE |
ai-aie-dev |
grp-ai-aie-<project>-dev |
|
PostgreSQL Flexible Server |
Microsoft.DBforPostgreSQL/flexibleServers |
MLOps |
ai-mlops-dev |
grp-ai-mlops-<project>-dev |
|
PostgreSQL Flexible Server |
Microsoft.DBforPostgreSQL/flexibleServers |
Ops |
ai-ops-dev |
grp-ai-ops-<project>-dev |
|
AI Foundry |
Microsoft.MachineLearningServices/aiFoundry (as applicable) |
DS |
ai-ds-dev |
grp-ai-ds-<project>-dev |
|
AI Foundry |
Microsoft.MachineLearningServices/aiFoundry (as applicable) |
MLE |
ai-mle-dev |
grp-ai-mle-<project>-dev |
|
AI Foundry |
Microsoft.MachineLearningServices/aiFoundry (as applicable) |
AIE |
ai-aie-dev |
grp-ai-aie-<project>-dev |
|
AI Foundry |
Microsoft.MachineLearningServices/aiFoundry (as applicable) |
MLOps |
ai-mlops-dev |
grp-ai-mlops-<project>-dev |
|
AI Foundry |
Microsoft.MachineLearningServices/aiFoundry (as applicable) |
Ops |
ai-ops-dev |
grp-ai-ops-<project>-dev |
|
Storage Accounts |
Microsoft.Storage/storageAccounts |
DS |
ai-ds-dev |
grp-ai-ds-<project>-dev |
|
Storage Accounts |
Microsoft.Storage/storageAccounts |
MLE |
ai-mle-dev |
grp-ai-mle-<project>-dev |
|
Storage Accounts |
Microsoft.Storage/storageAccounts |
AIE |
ai-aie-dev |
grp-ai-aie-<project>-dev |
|
Storage Accounts |
Microsoft.Storage/storageAccounts |
MLOps |
ai-mlops-dev |
grp-ai-mlops-<project>-dev |
|
Storage Accounts |
Microsoft.Storage/storageAccounts |
Ops |
ai-ops-dev |
grp-ai-ops-<project>-dev |
Expanded Service Role Mapping by Environment
- Dev Environment
-
Service
Resource Type
Persona
Short Group (🔵)
Long Group (🟢)
Example Role
Azure ML (Workspace)
Microsoft.MachineLearningServices/workspaces
DS
🔵 ai-ds-dev
🟢 grp-ai-ds-<project>-dev
AzureML Data Scientist
Azure AI Search
Microsoft.Search/searchServices
MLE
🔵 ai-mle-dev
🟢 grp-ai-mle-<project>-dev
Search Service Contributor
Azure AI Services / OpenAI
Microsoft.CognitiveServices/accounts
AIE
🔵 ai-aie-dev
🟢 grp-ai-aie-<project>-dev
Cognitive Services Contributor
Cosmos DB
Microsoft.DocumentDB/databaseAccounts
Ops
🔵 ai-ops-dev
🟢 grp-ai-ops-<project>-dev
Reader
Storage Accounts
Microsoft.Storage/storageAccounts
MLOps
🔵 ai-mlops-dev
🟢 grp-ai-mlops-<project>-dev
Key Vault Contributor
- Nonprod Environment
-
Service
Resource Type
Persona
Short Group (🔵)
Long Group (🟢)
Example Role
Azure ML (Workspace)
Microsoft.MachineLearningServices/workspaces
DS
🔵 ai-ds-nonprod
🟢 grp-ai-ds-<project>-nonprod
Reader
Azure App Service
Microsoft.Web/sites
MLE
🔵 ai-mle-nonprod
🟢 grp-ai-mle-<project>-nonprod
Website Contributor
Azure API Management
Microsoft.ApiManagement/service
AIE
🔵 ai-aie-nonprod
🟢 grp-ai-aie-<project>-nonprod
APIM Contributor
Cosmos DB
Microsoft.DocumentDB/databaseAccounts
Ops
🔵 ai-ops-nonprod
🟢 grp-ai-ops-<project>-nonprod
Reader
Storage Accounts
Microsoft.Storage/storageAccounts
MLOps
🔵 ai-mlops-nonprod
🟢 grp-ai-mlops-<project>-nonprod
Contributor (CI/CD pipelines)
- Prod Environment
-
Service
Resource Type
Persona
Short Group (🔵)
Long Group (🟢)
Example Role
Azure ML (Workspace)
Microsoft.MachineLearningServices/workspaces
DS
🔵 ai-ds-prod
🟢 grp-ai-ds-<project>-prod
Reader
Azure Functions
Microsoft.Web/sites
MLE
🔵 ai-mle-prod
🟢 grp-ai-mle-<project>-prod
Reader
Azure Container Apps
Microsoft.App/containerApps
AIE
🔵 ai-aie-prod
🟢 grp-ai-aie-<project>-prod
Reader
Cosmos DB
Microsoft.DocumentDB/databaseAccounts
Ops
🔵 ai-ops-prod
🟢 grp-ai-ops-<project>-prod
Monitoring Contributor
Storage Accounts
Microsoft.Storage/storageAccounts
MLOps
🔵 ai-mlops-prod
🟢 grp-ai-mlops-<project>-prod
Contributor (Pipeline Identity only)
Data-Plane Role Assignments by Service & Environment
- Azure Storage (Blob, Queue, Table)
|
Environment |
Persona |
Short Group (🔵) |
Long Group (🟢) |
Data-Plane Role |
|
Dev |
DS |
🔵 ai-ds-dev |
🟢 grp-ai-ds-<project>-dev |
Storage Blob Data Contributor |
|
Nonprod |
MLE |
🔵 ai-mle-nonprod |
🟢 grp-ai-mle-<project>-nonprod |
Storage Blob Data Contributor |
|
Prod |
Ops |
🔵 ai-ops-prod |
🟢 grp-ai-ops-<project>-prod |
Storage Blob Data Reader |
|
Prod |
MLOps |
🔵 ai-mlops-prod |
🟢 grp-ai-mlops-<project>-prod |
Storage Blob Data Contributor (Pipeline Identity only) |
- Azure Cosmos DB
|
Environment |
Persona |
Short Group (🔵) |
Long Group (🟢) |
Data-Plane Role |
|
Dev |
DS |
🔵 ai-ds-dev |
🟢 grp-ai-ds-<project>-dev |
Cosmos DB Built-in Data Contributor |
|
Nonprod |
MLE |
🔵 ai-mle-nonprod |
🟢 grp-ai-mle-<project>-nonprod |
Cosmos DB Built-in Data Contributor |
|
Prod |
Ops |
🔵 ai-ops-prod |
🟢 grp-ai-ops-<project>-prod |
Cosmos DB Built-in Data Reader |
|
Prod |
MLOps |
🔵 ai-mlops-prod |
🟢 grp-ai-mlops-<project>-prod |
Cosmos DB Built-in Data Contributor (CI/CD) |
- Azure AI Search
|
Environment |
Persona |
Short Group (🔵) |
Long Group (🟢) |
Data-Plane Role |
|
Dev |
AIE |
🔵 ai-aie-dev |
🟢 grp-ai-aie-<project>-dev |
Search Index Data Contributor |
|
Nonprod |
MLE |
🔵 ai-mle-nonprod |
🟢 grp-ai-mle-<project>-nonprod |
Search Index Data Contributor |
|
Prod |
Ops |
🔵 ai-ops-prod |
🟢 grp-ai-ops-<project>-prod |
Search Index Data Reader |
- Azure OpenAI Service
|
Environment |
Persona |
Short Group (🔵) |
Long Group (🟢) |
Data-Plane Role |
|
Dev |
DS |
🔵 ai-ds-dev |
🟢 grp-ai-ds-<project>-dev |
Cognitive Services OpenAI User |
|
Nonprod |
AIE |
🔵 ai-aie-nonprod |
🟢 grp-ai-aie-<project>-nonprod |
Cognitive Services OpenAI User |
|
Prod |
MLOps |
🔵 ai-mlops-prod |
🟢 grp-ai-mlops-<project>-prod |
Cognitive Services OpenAI User (Pipeline Identity only) |
|
Prod |
Ops |
🔵 ai-ops-prod |
🟢 grp-ai-ops-<project>-prod |
Reader (telemetry, not inference) |
Microsoft