Enabling custom RBAC roles using Azure PowerShell

  1. Home
  2. Enabling custom RBAC roles using Azure PowerShell

Go back to AZ-500 Tutorials

In this tutorial, we’ll learn how to use Azure PowerShell to create and update custom roles in Azure. You should know, though, that if the Azure built-in roles don’t match your organization’s unique needs, you may design your own custom roles.

Prerequisites

For creating custom roles, you need:

  • Firstly, permissions for creating custom roles, such as Owner or User Access Administrator
  • Secondly, Azure Cloud Shell or Azure PowerShell

Listing custom roles

For listing the roles that are available for assignment at a scope, use the Get-AzRoleDefinition command. For example, below there is a list of all roles that are available for assignment in the selected subscription.

Azure PowerShell

Get-AzRoleDefinition | FT Name, IsCustom

listing custom roles
Image Source: Microsoft

For example, lists just the custom roles that are available for assignment in the selected subscription.

Azure PowerShell

Get-AzRoleDefinition | ? {$_.IsCustom -eq $true} | FT Name, IsCustom

However, if the selected subscription isn’t in the AssignableScopes of the role. Then, the custom role won’t be listed.

Listing a custom role definition

For listing a custom role definition, then, use Get-AzRoleDefinition. 

Azure PowerShell

Get-AzRoleDefinition <role_name> | ConvertTo-Json

Listing custom RBAC roles using Azure PowerShell
Image Source: Microsoft

Creating a custom role

For creating a custom role, use the New-AzRoleDefinition command. However, there are two methods of structuring the role, using a PSRoleDefinition object or a JSON template.

AZ-500 practice tests

Get operations for a resource provider

You should know that while creating custom roles, it is important to know all the possible operations from the resource providers. However, you can view the list of resource provider operations. Moreover, you can also use the Get-AzProviderOperation command to get this information. For example, use the command below to check all the available operations for virtual machines:

Azure PowerShell

Get-AzProviderOperation <operation> | FT OperationName, Operation, Description -AutoSize

Creating a custom role with the PSRoleDefinition object

When you use PowerShell for creating a custom role, you can use one of the built-in roles as a starting point or you can start from scratch. However, in this, edit the attributes for adding the Actions, NotActions, or AssignableScopes that you want. Then, save the changes as a new role.

The example starts with the Virtual Machine Contributor built-in role to create a custom role named Virtual Machine Operator. Moreover, the new role grants access to all read operations of Microsoft.Compute, Microsoft.Storage. And, it also includes Microsoft.Network resource providers and grants access for starting. In addition, you can also restart and monitor the virtual machines.

Creating a custom role with the PSRoleDefinition object
Image Source: Microsoft

Updating a custom role with the PSRoleDefinition object

Firstly, for modifying a custom role, use the Get-AzRoleDefinition command to retrieve the role definition. Secondly, make the desired changes to the role definition. Lastly, use the Set-AzRoleDefinition command to save the modified role definition.

For example, below code adds the Microsoft.Insights/diagnosticSettings/* operation to the Virtual Machine Operator custom role.

Azure PowerShell

$role = Get-AzRoleDefinition “Virtual Machine Operator”

$role.Actions.Add(“Microsoft.Insights/diagnosticSettings/*”)

Set-AzRoleDefinition -Role $role

For Example,

PS C:\> $role = Get-AzRoleDefinition “Virtual Machine Operator”

C:\> $role.Actions.Add(“Microsoft.Insights/diagnosticSettings/*”)

PS C:\> Set-AzRoleDefinition -Role $role

Name             : Virtual Machine Operator

Id               : 88888888-8888-8888-8888-888888888888

IsCustom         : True

Description      : Can monitor and restart virtual machines.

Actions          : {Microsoft.Storage/*/read, Microsoft.Network/*/read, Microsoft.Compute/*/read,

                   Microsoft.Compute/virtualMachines/start/action…}

NotActions       : {}

AssignableScopes : {/subscriptions/00000000-0000-0000-0000-000000000000,

                   /subscriptions/11111111-1111-1111-1111-111111111111}

Deleting a custom role

For deleting a custom role, then use the Remove-AzRoleDefinition command.

However, the example below removes the Virtual Machine Operator custom role.

Azure PowerShell

Get-AzRoleDefinition “Virtual Machine Operator”

Get-AzRoleDefinition “Virtual Machine Operator” | Remove-AzRoleDefinition

For Example, check the below code

PS C:\> Get-AzRoleDefinition “Virtual Machine Operator”

Name             : Virtual Machine Operator

Id               : 88888888-8888-8888-8888-888888888888

IsCustom         : True

Description      : Can monitor and restart virtual machines.

Actions          : {Microsoft.Storage/*/read, Microsoft.Network/*/read, Microsoft.Compute/*/read,

                   Microsoft.Compute/virtualMachines/start/action…}

NotActions       : {}

AssignableScopes : {/subscriptions/00000000-0000-0000-0000-000000000000,

                   /subscriptions/11111111-1111-1111-1111-111111111111}

PS C:\> Get-AzRoleDefinition “Virtual Machine Operator” | Remove-AzRoleDefinition

Confirm

Are you sure you want to remove the role definition with name ‘Virtual Machine Operator’.

[Y] Yes  [N] No  [S] Suspend  [?] Help (default is “Y”): Y

AZ-500 online course

Reference: Microsoft Documentation

Go back to AZ-500 Tutorials

Menu