diff --git a/azurerm/config.go b/azurerm/config.go
index 6458b7c3cdee..2d70ea8083a8 100644
--- a/azurerm/config.go
+++ b/azurerm/config.go
@@ -8,6 +8,7 @@ import (
 	"net/http/httputil"
 
 	"github.com/Azure/azure-sdk-for-go/arm/appinsights"
+	"github.com/Azure/azure-sdk-for-go/arm/authorization"
 	"github.com/Azure/azure-sdk-for-go/arm/automation"
 	"github.com/Azure/azure-sdk-for-go/arm/cdn"
 	"github.com/Azure/azure-sdk-for-go/arm/compute"
@@ -136,6 +137,9 @@ type ArmClient struct {
 
 	appInsightsClient appinsights.ComponentsClient
 
+	// Authentication
+	roleAssignmentsClient   authorization.RoleAssignmentsClient
+	roleDefinitionsClient   authorization.RoleDefinitionsClient
 	servicePrincipalsClient graphrbac.ServicePrincipalsClient
 
 	// Databases
@@ -624,12 +628,6 @@ func (c *Config) getArmClient() (*ArmClient, error) {
 	ai.Sender = sender
 	client.appInsightsClient = ai
 
-	spc := graphrbac.NewServicePrincipalsClientWithBaseURI(graphEndpoint, c.TenantID)
-	setUserAgent(&spc.Client)
-	spc.Authorizer = graphAuth
-	spc.Sender = sender
-	client.servicePrincipalsClient = spc
-
 	aadb := automation.NewAccountClientWithBaseURI(endpoint, c.SubscriptionID)
 	setUserAgent(&aadb.Client)
 	aadb.Authorizer = auth
@@ -654,13 +652,33 @@ func (c *Config) getArmClient() (*ArmClient, error) {
 	aschc.Sender = sender
 	client.automationScheduleClient = aschc
 
-	client.registerKeyVaultClients(endpoint, c.SubscriptionID, auth, keyVaultAuth, sender)
-
+	client.registerAuthentication(endpoint, graphEndpoint, c.SubscriptionID, c.TenantID, auth, graphAuth, sender)
 	client.registerDatabases(endpoint, c.SubscriptionID, auth, sender)
+	client.registerKeyVaultClients(endpoint, c.SubscriptionID, auth, keyVaultAuth, sender)
 
 	return &client, nil
 }
 
+func (c *ArmClient) registerAuthentication(endpoint, graphEndpoint, subscriptionId, tenantId string, auth, graphAuth autorest.Authorizer, sender autorest.Sender) {
+	rac := authorization.NewRoleAssignmentsClientWithBaseURI(endpoint, subscriptionId)
+	setUserAgent(&rac.Client)
+	rac.Authorizer = auth
+	rac.Sender = sender
+	c.roleAssignmentsClient = rac
+
+	rdc := authorization.NewRoleDefinitionsClientWithBaseURI(endpoint, subscriptionId)
+	setUserAgent(&rdc.Client)
+	rdc.Authorizer = auth
+	rdc.Sender = sender
+	c.roleDefinitionsClient = rdc
+
+	spc := graphrbac.NewServicePrincipalsClientWithBaseURI(graphEndpoint, tenantId)
+	setUserAgent(&spc.Client)
+	spc.Authorizer = graphAuth
+	spc.Sender = sender
+	c.servicePrincipalsClient = spc
+}
+
 func (c *ArmClient) registerDatabases(endpoint, subscriptionId string, auth autorest.Authorizer, sender autorest.Sender) {
 	// MySQL
 	mysqlConfigClient := mysql.NewConfigurationsClientWithBaseURI(endpoint, subscriptionId)
diff --git a/azurerm/data_source_arm_builtin_role_definition.go b/azurerm/data_source_arm_builtin_role_definition.go
new file mode 100644
index 000000000000..6563c1859f7f
--- /dev/null
+++ b/azurerm/data_source_arm_builtin_role_definition.go
@@ -0,0 +1,41 @@
+package azurerm
+
+import (
+	"github.com/hashicorp/terraform/helper/schema"
+	"github.com/hashicorp/terraform/helper/validation"
+)
+
+func dataSourceArmBuiltInRoleDefinition() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceArmBuiltInRoleDefinitionRead,
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:     schema.TypeString,
+				Required: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					"Contributor",
+					"Reader",
+					"Owner",
+					"VirtualMachineContributor",
+				}, false),
+			},
+		},
+	}
+}
+
+func dataSourceArmBuiltInRoleDefinitionRead(d *schema.ResourceData, meta interface{}) error {
+	name := d.Get("name").(string)
+	roleDefinitionIds := map[string]string{
+		"Contributor":               "b24988ac-6180-42a0-ab88-20f7382dd24c",
+		"Owner":                     "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
+		"Reader":                    "acdd72a7-3385-48ef-bd42-f606fba81ae7",
+		"VirtualMachineContributor": "d73bb868-a0df-4d4d-bd69-98a00b01fccb",
+	}
+	roleDefinitionId := roleDefinitionIds[name]
+
+	// TODO: when the API's fixed - pull out additional information from the API
+
+	d.SetId(roleDefinitionId)
+
+	return nil
+}
diff --git a/azurerm/data_source_arm_builtin_role_definition_test.go b/azurerm/data_source_arm_builtin_role_definition_test.go
new file mode 100644
index 000000000000..3457a96d473e
--- /dev/null
+++ b/azurerm/data_source_arm_builtin_role_definition_test.go
@@ -0,0 +1,80 @@
+package azurerm
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/resource"
+)
+
+func TestAccDataSourceAzureRMBuiltInRoleDefinition_contributor(t *testing.T) {
+	dataSourceName := "data.azurerm_builtin_role_definition.test"
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceBuiltInRoleDefinition("Contributor"),
+				Check: resource.ComposeTestCheckFunc(
+					testAzureRMClientConfigAttr(dataSourceName, "id", "b24988ac-6180-42a0-ab88-20f7382dd24c"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccDataSourceAzureRMBuiltInRoleDefinition_owner(t *testing.T) {
+	dataSourceName := "data.azurerm_builtin_role_definition.test"
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceBuiltInRoleDefinition("Owner"),
+				Check: resource.ComposeTestCheckFunc(
+					testAzureRMClientConfigAttr(dataSourceName, "id", "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccDataSourceAzureRMBuiltInRoleDefinition_reader(t *testing.T) {
+	dataSourceName := "data.azurerm_builtin_role_definition.test"
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceBuiltInRoleDefinition("Reader"),
+				Check: resource.ComposeTestCheckFunc(
+					testAzureRMClientConfigAttr(dataSourceName, "id", "acdd72a7-3385-48ef-bd42-f606fba81ae7"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccDataSourceAzureRMBuiltInRoleDefinition_virtualMachineContributor(t *testing.T) {
+	dataSourceName := "data.azurerm_builtin_role_definition.test"
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceBuiltInRoleDefinition("VirtualMachineContributor"),
+				Check: resource.ComposeTestCheckFunc(
+					testAzureRMClientConfigAttr(dataSourceName, "id", "d73bb868-a0df-4d4d-bd69-98a00b01fccb"),
+				),
+			},
+		},
+	})
+}
+
+func testAccDataSourceBuiltInRoleDefinition(name string) string {
+	return fmt.Sprintf(`
+data "azurerm_builtin_role_definition" "test" {
+  name = "%s"
+}
+`, name)
+}
diff --git a/azurerm/provider.go b/azurerm/provider.go
index 663def51c6a6..513777a3f72c 100644
--- a/azurerm/provider.go
+++ b/azurerm/provider.go
@@ -68,13 +68,14 @@ func Provider() terraform.ResourceProvider {
 		},
 
 		DataSourcesMap: map[string]*schema.Resource{
-			"azurerm_client_config":  dataSourceArmClientConfig(),
-			"azurerm_image":          dataSourceArmImage(),
-			"azurerm_managed_disk":   dataSourceArmManagedDisk(),
-			"azurerm_platform_image": dataSourceArmPlatformImage(),
-			"azurerm_public_ip":      dataSourceArmPublicIP(),
-			"azurerm_resource_group": dataSourceArmResourceGroup(),
-			"azurerm_subscription":   dataSourceArmSubscription(),
+			"azurerm_builtin_role_definition": dataSourceArmBuiltInRoleDefinition(),
+			"azurerm_client_config":           dataSourceArmClientConfig(),
+			"azurerm_image":                   dataSourceArmImage(),
+			"azurerm_managed_disk":            dataSourceArmManagedDisk(),
+			"azurerm_platform_image":          dataSourceArmPlatformImage(),
+			"azurerm_public_ip":               dataSourceArmPublicIP(),
+			"azurerm_resource_group":          dataSourceArmResourceGroup(),
+			"azurerm_subscription":            dataSourceArmSubscription(),
 		},
 
 		ResourcesMap: map[string]*schema.Resource{
@@ -395,6 +396,7 @@ func registerProviderWithSubscription(providerName string, client resources.Prov
 
 func determineAzureResourceProvidersToRegister(providerList []resources.Provider) map[string]struct{} {
 	providers := map[string]struct{}{
+		"Microsoft.Authorization":       {},
 		"Microsoft.Automation":          {},
 		"Microsoft.Cache":               {},
 		"Microsoft.Cdn":                 {},
diff --git a/website/azurerm.erb b/website/azurerm.erb
index 18a17ba1b6f8..6123c830102d 100644
--- a/website/azurerm.erb
+++ b/website/azurerm.erb
@@ -23,6 +23,9 @@
             <li<%= sidebar_current("docs-azurerm-datasource") %>>
               <a href="#">Data Sources</a>
               <ul class="nav nav-visible">
+                <li<%= sidebar_current("docs-azurerm-datasource-builtin_role_definition") %>>
+                    <a href="/docs/providers/azurerm/d/builtin_role_definition.html">azurerm_builtin_role_definition</a>
+                </li>
                 <li<%= sidebar_current("docs-azurerm-datasource-client-config") %>>
                     <a href="/docs/providers/azurerm/d/client_config.html">azurerm_client_config</a>
                 </li>
diff --git a/website/docs/d/builtin_role_definition.markdown b/website/docs/d/builtin_role_definition.markdown
new file mode 100644
index 000000000000..9adeeea330a4
--- /dev/null
+++ b/website/docs/d/builtin_role_definition.markdown
@@ -0,0 +1,32 @@
+---
+layout: "azurerm"
+page_title: "Azure Resource Manager: azurerm_builtin_role_definition"
+sidebar_current: "docs-azurerm-datasource-builtin-role-definition"
+description: |-
+  Get information about a built-in Role Definition.
+---
+
+# azurerm_built_in_role_definition
+
+Use this data source to access the properties of a built-in Role Definition.
+
+## Example Usage
+
+```hcl
+data "azurerm_builtin_role_definition" "contributor" {
+  name = "Contributor"
+}
+
+output "contributor_role_definition_id" {
+  value = "${data.azurerm_built_in_role.contributor.id}"
+}
+```
+
+## Argument Reference
+
+* `name` - (Required) Specifies the name of the built-in Role Definition. Possible values are: `Contributor`, `Owner`, `Reader` and `VirtualMachineContributor`.
+
+
+## Attributes Reference
+
+* `id` - the ID of the built-in Role Definition.