diff --git a/azurerm/internal/services/authorization/role_definition_resource.go b/azurerm/internal/services/authorization/role_definition_resource.go
index c4daf4eee782..15dc187eb3b0 100644
--- a/azurerm/internal/services/authorization/role_definition_resource.go
+++ b/azurerm/internal/services/authorization/role_definition_resource.go
@@ -300,6 +300,10 @@ func expandRoleDefinitionPermissions(input []interface{}) []authorization.Permis
 	}
 
 	for _, v := range input {
+		if v == nil {
+			continue
+		}
+
 		input := v.(map[string]interface{})
 		permission := authorization.Permission{}
 
diff --git a/azurerm/internal/services/authorization/role_definition_resource_test.go b/azurerm/internal/services/authorization/role_definition_resource_test.go
index 219d2f09a595..5c6dc70e1879 100644
--- a/azurerm/internal/services/authorization/role_definition_resource_test.go
+++ b/azurerm/internal/services/authorization/role_definition_resource_test.go
@@ -147,7 +147,22 @@ func testAccRoleDefinition_emptyName(t *testing.T) {
 	})
 }
 
-func testAccRoleDefinition_managementGroup(t *testing.T) {
+func TestAccRoleDefinition_emptyPermissions(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_role_definition", "test")
+	r := RoleDefinitionResource{}
+
+	data.ResourceTest(t, r, []resource.TestStep{
+		{
+			Config: r.emptyPermissions(data),
+			Check: resource.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccRoleDefinition_managementGroup(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_role_definition", "test")
 	r := RoleDefinitionResource{}
 
@@ -327,6 +342,28 @@ resource "azurerm_role_definition" "test" {
 `, data.RandomInteger)
 }
 
+func (r RoleDefinitionResource) emptyPermissions(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_subscription" "primary" {
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestrg-%d"
+  location = %q
+}
+
+resource "azurerm_role_definition" "test" {
+  name              = "acctestrd-%d"
+  scope             = azurerm_resource_group.test.id
+  assignable_scopes = [azurerm_resource_group.test.id]
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger)
+}
+
 func (r RoleDefinitionResource) TestAccRoleDefinition_managementGroup(id string, data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {