![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 17%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
708 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 92%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 14.000000000000002%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVC%3C/text%3E%3C/svg%3E)
Hi Marek,
The “Website Contributor” role in Azure is a built-in role that has specific permissions. While it’s true that the explicit permission Microsoft.Resources/tags/write is not listed under this role, it’s important to note that the ability to add tags to resources in Azure is not solely governed by this permission.
In Azure, the ability to apply tags to resources can be granted in two ways:
- Having write access to the
Microsoft.Resources/tagsresource type. This access lets you tag any resource, even if you don’t have access to the resource itself. The “Tag Contributor” role grants this access. - Having write access to the resource itself. The “Contributor” role grants the required access to apply tags to any entity.
The “Website Contributor” role falls under the second category. It allows the user to manage websites (not web plans), thereby granting write access to the website resource itself. This means that even though the Microsoft.Resources/tags/write permission is not explicitly listed, users with the “Website Contributor” role can still apply tags to the website resources they manage.
This might help explain the behaviour you’re observing.
Please see the links below for reference:
https://video2.skills-academy.com/en-us/azure/role-based-access-control/built-in-roles
If you find this response helpful and it resolves your issue, please consider marking it as “Accepted” or giving it an upvote. This will help others in the community find the solution more easily.