Azure Authorization Management Client Library

4.0.0 · active · verified Thu Apr 09

The Microsoft Azure Authorization Management Client Library for Python facilitates programmatic management of Azure Role-Based Access Control (RBAC), including role assignments, role definitions, and access policy assignments. It is currently at version 4.0.0 and follows the Azure SDK for Python's release cadence, with updates typically aligned with Azure REST API changes and security fixes.

Warnings

breaking Version 4.0.0 introduced significant breaking changes. The client constructor's signature may have changed, and model objects are now directly accessible under `azure.mgmt.authorization.models` instead of nested sub-modules (e.g., `authorization.models.authorization`).
Fix: Review the official changelog for v4.0.0. Update client instantiation, model imports, and method calls to align with the new API surface. For models, remove extra sub-module names like `.authorization`.
breaking Older versions of Azure SDKs often used `msrestazure.azure_exceptions.CloudError` or `msrest.exceptions.HttpOperationError` for service-side exceptions. Modern Azure SDKs, including `azure-mgmt-authorization`, now raise `azure.core.exceptions.HttpResponseError`.
Fix: Update exception handling blocks to catch `HttpResponseError` from `azure.core.exceptions`. Import `HttpResponseError` and adjust `except` clauses accordingly.
gotcha Authentication in Azure SDKs has standardized on the `azure-identity` package. Avoid using older, deprecated credential classes from `msrestazure` or directly managing tokens, as they may lead to security vulnerabilities or lack support for modern authentication flows like Managed Identities.
Fix: Always use classes from `azure.identity` (e.g., `DefaultAzureCredential`, `EnvironmentCredential`, `ManagedIdentityCredential`) for authentication. Refer to the `azure-identity` documentation for the most robust authentication practices.

Install

pip install azure-mgmt-authorization Install stable version

Imports

AuthorizationManagementClient

from azure.mgmt.authorization import AuthorizationManagementClient

DefaultAzureCredential

from azure.identity import DefaultAzureCredential

Quickstart

This quickstart demonstrates how to authenticate with Azure using `DefaultAzureCredential` and list all role assignments within a specified Azure subscription using `AuthorizationManagementClient`. Ensure the `AZURE_SUBSCRIPTION_ID` environment variable is set.

import os
from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient

# Ensure AZURE_SUBSCRIPTION_ID is set in your environment variables
subscription_id = os.environ.get("AZURE_SUBSCRIPTION_ID", "")
if not subscription_id:
    raise ValueError("AZURE_SUBSCRIPTION_ID environment variable not set.")

# Authenticate using DefaultAzureCredential
# This will try several credential types in order (environment, managed identity, CLI, VS Code, etc.)
credential = DefaultAzureCredential()

# Create the Authorization Management Client
client = AuthorizationManagementClient(credential, subscription_id)

print(f"Listing role assignments for subscription ID: {subscription_id}")

try:
    # List all role assignments in the subscription
    for assignment in client.role_assignments.list():
        print(f"  - Scope: {assignment.scope}, Principal: {assignment.principal_id}, Role Definition: {assignment.role_definition_id.split('/')[-1]}")
except Exception as e:
    print(f"An error occurred: {e}")

view raw JSON →