Enabling custom RBAC roles using Azure PowerShell
In this tutorial, we’ll learn how to use Azure PowerShell to create and update custom roles in Azure. You should know, though, that if the Azure built-in roles don’t match your organization’s unique needs, you may design your own custom roles.
Prerequisites
For creating custom roles, you need:
- Firstly, permissions for creating custom roles, such as Owner or User Access Administrator
- Secondly, Azure Cloud Shell or Azure PowerShell
Listing custom roles
For listing the roles that are available for assignment at a scope, use the Get-AzRoleDefinition command. For example, below there is a list of all roles that are available for assignment in the selected subscription.
Azure PowerShell
Get-AzRoleDefinition | FT Name, IsCustom
For example, lists just the custom roles that are available for assignment in the selected subscription.
Azure PowerShell
Get-AzRoleDefinition | ? {$_.IsCustom -eq $true} | FT Name, IsCustom
However, if the selected subscription isn’t in the AssignableScopes of the role. Then, the custom role won’t be listed.
Listing a custom role definition
For listing a custom role definition, then, use Get-AzRoleDefinition.
Azure PowerShell
Get-AzRoleDefinition <role_name> | ConvertTo-Json
Creating a custom role
For creating a custom role, use the New-AzRoleDefinition command. However, there are two methods of structuring the role, using a PSRoleDefinition object or a JSON template.
Get operations for a resource provider
You should know that while creating custom roles, it is important to know all the possible operations from the resource providers. However, you can view the list of resource provider operations. Moreover, you can also use the Get-AzProviderOperation command to get this information. For example, use the command below to check all the available operations for virtual machines:
Azure PowerShell
Get-AzProviderOperation <operation> | FT OperationName, Operation, Description -AutoSize
Creating a custom role with the PSRoleDefinition object
When you use PowerShell for creating a custom role, you can use one of the built-in roles as a starting point or you can start from scratch. However, in this, edit the attributes for adding the Actions, NotActions, or AssignableScopes that you want. Then, save the changes as a new role.
The example starts with the Virtual Machine Contributor built-in role to create a custom role named Virtual Machine Operator. Moreover, the new role grants access to all read operations of Microsoft.Compute, Microsoft.Storage. And, it also includes Microsoft.Network resource providers and grants access for starting. In addition, you can also restart and monitor the virtual machines.
Updating a custom role with the PSRoleDefinition object
Firstly, for modifying a custom role, use the Get-AzRoleDefinition command to retrieve the role definition. Secondly, make the desired changes to the role definition. Lastly, use the Set-AzRoleDefinition command to save the modified role definition.
For example, below code adds the Microsoft.Insights/diagnosticSettings/* operation to the Virtual Machine Operator custom role.
Azure PowerShell
$role = Get-AzRoleDefinition “Virtual Machine Operator”
$role.Actions.Add(“Microsoft.Insights/diagnosticSettings/*”)
Set-AzRoleDefinition -Role $role
For Example,
PS C:\> $role = Get-AzRoleDefinition “Virtual Machine Operator”
C:\> $role.Actions.Add(“Microsoft.Insights/diagnosticSettings/*”)
PS C:\> Set-AzRoleDefinition -Role $role
Name : Virtual Machine Operator
Id : 88888888-8888-8888-8888-888888888888
IsCustom : True
Description : Can monitor and restart virtual machines.
Actions : {Microsoft.Storage/*/read, Microsoft.Network/*/read, Microsoft.Compute/*/read,
Microsoft.Compute/virtualMachines/start/action…}
NotActions : {}
AssignableScopes : {/subscriptions/00000000-0000-0000-0000-000000000000,
/subscriptions/11111111-1111-1111-1111-111111111111}
Deleting a custom role
For deleting a custom role, then use the Remove-AzRoleDefinition command.
However, the example below removes the Virtual Machine Operator custom role.
Azure PowerShell
Get-AzRoleDefinition “Virtual Machine Operator”
Get-AzRoleDefinition “Virtual Machine Operator” | Remove-AzRoleDefinition
For Example, check the below code
PS C:\> Get-AzRoleDefinition “Virtual Machine Operator”
Name : Virtual Machine Operator
Id : 88888888-8888-8888-8888-888888888888
IsCustom : True
Description : Can monitor and restart virtual machines.
Actions : {Microsoft.Storage/*/read, Microsoft.Network/*/read, Microsoft.Compute/*/read,
Microsoft.Compute/virtualMachines/start/action…}
NotActions : {}
AssignableScopes : {/subscriptions/00000000-0000-0000-0000-000000000000,
/subscriptions/11111111-1111-1111-1111-111111111111}
PS C:\> Get-AzRoleDefinition “Virtual Machine Operator” | Remove-AzRoleDefinition
Confirm
Are you sure you want to remove the role definition with name ‘Virtual Machine Operator’.
[Y] Yes [N] No [S] Suspend [?] Help (default is “Y”): Y
Reference: Microsoft Documentation