>
    Azure Built-in and Custom Roles
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for Azure Administration
    3. Manage Cloud NGFW for Azure Tenant
    4. Azure Built-in and Custom Roles
    Download PDF
    Cloud NGFW for Azure

    Azure Built-in and Custom Roles

    Table of Contents

    Azure Built-in and Custom Roles

    Learn about Azure built-in and custom roles.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for Azure
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Portal account
    • Azure Marketplace subscription
    Azure provides built-in roles to help manage access to resources, including Cloud NGFW by Palo Alto Networks. These roles define permissions for users, groups, and applications in Azure Role-Based Access Control (RBAC). Below are some of the key built-in roles relevant to Cloud NGFW on Azure:
    • Owner. An owner has full access to manage all resources, including Cloud NGFW. Assign this role to administrators who need complete control over the creation of a NGFW, configuration and policies.
    • Contributor. A contributor can create, manage and modify Cloud NGFW and other resources but cannot assign roles. Assign this role to administrators who need complete control over the creation of a NGFW, configuration and policies.
    • LocalNGFirewallAdministrator. This role can create, manage and modify Cloud NGFW policies. Assign this role to administrators who need complete control over NGFW policy configuration; this role cannot create or update firewall resources.
    • LocalRuleStacksAdministrator. This role can create, manage Cloud NGFW policies. Assign this role to administrators who need complete control the NGFW policy configuration; this role cannot create or update firewall resources.
    Choosing the proper Azure built-in role for Cloud NGFW depends on your organization's governance model, administrative structure, and access control requirements. If your needs exceed the capabilities of built-in roles, custom roles can provide a more granular permission model. You can create a custom role with specific permissions, such as:
    • Creating and managing firewalls.
    • Managing Cloud NGFW rules and policies.
    • Monitoring logs and analytics.
    • Controlling network traffic.

    Assign Roles

    You assign roles using Azure Role-Based Access Control (Azure RBAC). You can use the Azure Portal, Azure CLI, or PowerShell to assign roles:
    1. Log in to the Azure Portal.
    2. Navigate to Access Control (IAM) > Role Assignments.
    3. Choose the role, assign users/groups and specify the resource scope (for example, the subscription, resource group, or a specific firewall instance).

    © 2025 Palo Alto Networks, Inc. All rights reserved.