Start preparing for your Next Exam | Use coupon – TOGETHER | Avail 30% discount

Creating a Custom Role using PowerShell

  1. Home
  3. Creating a Custom Role using PowerShell

Return to AZ-104 Tutorial

There are times when we require to create our own custom roles, when the Azure built-in roles do not meet the specific needs of the organization. We will now learn to create a custom role named Reader Support Tickets using Azure PowerShell. Moreover, the custom role enables the user to view everything in the management plane of a subscription and also open support tickets.

Prerequisites to create a custom role
  • We need the permissions to create custom roles, such as Owner or User Access Administrator
  • We also need Azure Cloud Shell or Azure PowerShell

Steps to Create a Custom Role using PowerShell

  • First Step – In the first step in PowerShell, use the Get-AzProviderOperation command to get the list of operations for the Microsoft.Support resource provider. This will assist to understand the operations that are available to create your permissions.
  • Second Step – In this step, use the Get-AzRoleDefinition command to output the Reader role in JSON format.
  • Third Step – In the third step, Open the ReaderSupportRole.json file in an editor.
  • Fourth Step – Now edit the JSON file to add the “Microsoft.Support/*” operation to the Actions property. It is important to ensure to include a comma after the read operation. This action will allow the user to create support tickets.
  • Fifth Step – Then get the ID of your subscription using the Get-AzSubscription command.
  • Sixth Step – In AssignableScopes, you must add subscription ID with the following format: “/subscriptions/00000000-0000-0000-0000-000000000000”. Also, we must add explicit subscription IDs, otherwise, such that it would not allow importing the role into your subscription.
  • Seventh Step – In this step we delete the Id property line and change the IsCustom property to true.
  • Eighth Step – Now you must change the Name and Description properties to “Reader Support Tickets” and “View everything in the subscription and also open support tickets.”
  • Ninth Step – In order to create the new custom role, you must use the New-AzRoleDefinition command and specify the JSON role definition file.
Practice Test for AZ-104

Deleting a Custom Role

  • First, use the Get-AzRoleDefinition command to get the ID of the custom role.
  • Second, use the Remove-AzRoleDefinition command and specify the role ID to delete the custom role.
  • Lastly, when asked to confirm, type Y.

Steps to Update Custom Role

  • First, update the JSON file, use the Get-AzRoleDefinition command to output the custom role in JSON format.
  • Second, open the file in an editor.
  • Next, in Actions, add the operation to create and manage resource group deployments “Microsoft.Resources/deployments/*”.
  • Fourth, to update the custom role, use the Set-AzRoleDefinition command and specify the updated JSON file.
  • Also in order to use the PSRoleDefintion object to update your custom role, first use the Get-AzRoleDefinition command to get the role.
  • Then, call the Add method to add the operation to read diagnostic settings.
  • Lastly, use the Set-AzRoleDefinition to update the role.
Microsoft Azure AZ-104 Online Course

Reference: Microsoft Documentation

Return to AZ-104 Tutorial

Menu