Creating an Azure custom role using Azure PowerShell
With the help of this tutorial you will know about Creating an Azure custom role using Azure PowerShell. If the built-in Azure roles don’t fit your organization’s needs, you may design your own custom roles.
Signing in to Azure PowerShell
The fist step is to Sign in to Azure PowerShell.
Creating a custom role
Starting with a built-in role, altering it, and then establishing a new role is the simplest approach to developing a custom role.
In PowerShell, you can use the Get-AzProviderOperation command to obtain the list of operations for the Microsoft.Support resource provider. Knowing the procedures that are available to build your permissions is really useful. At Azure Resource Manager resource provider operations, you may view a list of all the operations accessible.
Get-AzProviderOperation “Microsoft.Support/*” | FT Operation, Description -AutoSize
Operation Description
——— ———–
Microsoft.Support/register/action Registers to Support Resource Provider
Microsoft.Support/supportTickets/read Gets Support Ticket details (including status, severity, contact …
Microsoft.Support/supportTickets/write Creates or Updates a Support Ticket. You can create a Support Tic…
Use the Get-AzRoleDefinition command to produce output the Reader role in JSON format.
Get-AzRoleDefinition -Name “Reader” | ConvertTo-Json | Out-File C:\CustomRoles\ReaderSupportRole.json
Open the ReaderSupportRole.json file in an editor after you are done with the above steps.
The following output shows the JSON output.
{
“Name”: “Reader”,
“Id”: “acdd72a7-3385-48ef-bd42-f606fba81ae7”,
“IsCustom”: false,
“Description”: “Lets you view everything, but not make any changes.”,
“Actions”: [
“*/read”
],
“NotActions”: [],
“DataActions”: [],
“NotDataActions”: [],
“AssignableScopes”: [
“/”
]}
- Select Edit the JSON file to add the
"Microsoft.Support/*"
operation to theActions
property. make sure to include a comma after the read operation. This action will allow the user to create support tickets. - Get the ID of your subscription using the Get-AzSubscription command.
- In
AssignableScopes
, add your subscription ID with the following format:"/subscriptions/00000000-0000-0000-0000-000000000000"
You must add explicit subscription IDs, otherwise you won’t be allowed to import the role into your subscription. - Now, Delete the
Id
property line and change theIsCustom
property totrue
. - Subsequently, Alter the
Name
andDescription
properties to “Reader Support Tickets” and “View everything in the subscription and also open support tickets.” - To create the new custom role, however, use the New-AzRoleDefinition command and specify the JSON role definition file.
List custom roles
- Firstly, To list all your custom roles, use the Get-AzRoleDefinition command. You can also see the custom role in the Azure portal.
Update a custom role
To update the custom role, you could update the JSON file or use the PSRoleDefinition
object.
- Firstly, To update the JSON file, use the Get-AzRoleDefinition command to output the custom role in JSON format.
- Now, click Open the file in an editor.
- In
Actions
, now, add the operation to create and manage resource group deployments"Microsoft.Resources/deployments/*"
.
- However, To update the custom role, use the Set-AzRoleDefinition command and specify the updated JSON file.
- To use the
PSRoleDefintion
object to update your custom role, firstly use the Get-AzRoleDefinition command to get the role. - Furthermore, Call the
Add
method to add the operation to read diagnostic settings. - Use the Set-AzRoleDefinition finally to update the role.
Delete a custom role
- Firstly, Use the Get-AzRoleDefinition command to get the ID of the custom role.
- After that, Use the Remove-AzRoleDefinition command and specify in detail the role ID to delete the custom role.
- When you will be asked to confirm, type Y.
Reference documentation – Tutorial: Create an Azure custom role using Azure PowerShell