To allow a user to deploy and customize Microsoft Sentinel workbook templates while maintaining the principle of least privilege, the correct role assignment is Workbook Contributor .
According to Microsoft Sentinel and Azure Monitor documentation, workbooks are stored as Azure resources under the resource group that hosts the Sentinel workspace. Microsoft specifies that:
“Users who need to create, edit, or deploy workbooks require the Workbook Contributor role on the resource group that contains the workbooks. This role grants permissions to create and modify workbooks without allowing broader Sentinel or resource modifications.”
The Workbook Contributor role includes permissions such as Microsoft.Insights/workbooks/read , write , and delete , enabling full workbook editing capabilities. It does not grant access to analytics rules, incidents, or automation features, ensuring adherence to the least privilege principle.
By contrast:
Microsoft Sentinel Contributor allows broader Sentinel configuration (analytics, playbooks, etc.), exceeding what’s required.
Contributor provides full ac cess to manage all Azure resources, violating least privilege.
Microsoft Sentinel Automation Contributor is intended for managing automation rules and playbooks, not workbooks.
Therefore, to enable User1 to deploy and customize Sentinel workbook templates in RG1 while maintaining minimal necessary permissions, assign Workbook Contributor on RG1 .
