Saturday, September 28, 2019

How to create Custom roles for Azure resources

If the built-in roles for Azure resources don't meet the specific needs of your organization, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at subscription, resource group, and resource scopes.
Custom roles are stored in an Azure Active Directory (Azure AD) directory and can be shared across subscriptions. Each directory can have up to 5000 custom roles. (For specialized clouds, such as Azure Government, Azure Germany, and Azure China 21Vianet, the limit is 2000 custom roles.) Custom roles can be created using Azure PowerShell, Azure CLI, or the REST API.

Custom role example

The following shows what a custom role looks like as displayed in JSON format. This custom role can be used for monitoring and restarting virtual machines.
JSON
{
  "Name": "Virtual Machine Operator",
  "Id": "88888888-8888-8888-8888-888888888888",
  "IsCustom": true,
  "Description": "Can monitor and restart virtual machines.",
  "Actions": [
    "Microsoft.Storage/*/read",
    "Microsoft.Network/*/read",
    "Microsoft.Compute/*/read",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Authorization/*/read",
    "Microsoft.ResourceHealth/availabilityStatuses/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Insights/diagnosticSettings/*",
    "Microsoft.Support/*"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscriptionId1}",
    "/subscriptions/{subscriptionId2}",
    "/subscriptions/{subscriptionId3}"
  ]
}
When you create a custom role, it appears in the Azure portal with an orange resource icon.
Custom role icon

Steps to create a custom role

  1. Decide how you want to create the custom role
    You can create custom roles using Azure PowerShellAzure CLI, or the REST API.
  2. Determine the permissions you need
    When you create a custom role, you need to know the resource provider operations that are available to define your permissions. To view the list of operations, see the Azure Resource Manager resource provider operations. You will add the operations to the Actions or NotActions properties of the role definition. If you have data operations, you will add those to the DataActions or NotDataActions properties.
  3. Create the custom role
    Typically, you start with an existing built-in role and then modify it for your needs. Then you use the New-AzRoleDefinition or az role definition create commands to create the custom role. To create a custom role, you must have the Microsoft.Authorization/roleDefinitions/write permission on all AssignableScopes, such as Owner or User Access Administrator.
  4. Test the custom role
    Once you have your custom role, you have to test it to verify that it works as you expect. If you need to make adjustments later, you can update the custom role.
For a step-by-step tutorial on how to create a custom role, see Tutorial: Create a custom role using Azure PowerShell or Tutorial: Create a custom role using Azure CLI.

Custom role properties

A custom role has the following properties.
PropertyRequiredTypeDescription
NameYesStringThe display name of the custom role. While a role definition is a subscription-level resource, a role definition can be used in multiple subscriptions that share the same Azure AD directory. This display name must be unique at the scope of the Azure AD directory. Can include letters, numbers, spaces, and special characters. Maximum number of characters is 128.
IdYesStringThe unique ID of the custom role. For Azure PowerShell and Azure CLI, this ID is automatically generated when you create a new role.
IsCustomYesStringIndicates whether this is a custom role. Set to true for custom roles.
DescriptionYesStringThe description of the custom role. Can include letters, numbers, spaces, and special characters. Maximum number of characters is 1024.
ActionsYesString[]An array of strings that specifies the management operations that the role allows to be performed. For more information, see Actions.
NotActionsNoString[]An array of strings that specifies the management operations that are excluded from the allowed Actions. For more information, see NotActions.
DataActionsNoString[]An array of strings that specifies the data operations that the role allows to be performed to your data within that object. For more information, see DataActions.
NotDataActionsNoString[]An array of strings that specifies the data operations that are excluded from the allowed DataActions. For more information, see NotDataActions.
AssignableScopesYesString[]An array of strings that specifies the scopes that the custom role is available for assignment. For custom roles, you currently cannot set AssignableScopes to the root scope ("/") or a management group scope. For more information, see AssignableScopes and Organize your resources with Azure management groups.

Who can create, delete, update, or view a custom role

Just like built-in roles, the AssignableScopes property specifies the scopes that the role is available for assignment. The AssignableScopes property for a custom role also controls who can create, delete, update, or view the custom role.
TaskOperationDescription
Create/delete a custom roleMicrosoft.Authorization/ roleDefinitions/writeUsers that are granted this operation on all the AssignableScopes of the custom role can create (or delete) custom roles for use in those scopes. For example, Owners and User Access Administrators of subscriptions, resource groups, and resources.
Update a custom roleMicrosoft.Authorization/ roleDefinitions/writeUsers that are granted this operation on all the AssignableScopes of the custom role can update custom roles in those scopes. For example, Owners and User Access Administrators of subscriptions, resource groups, and resources.
View a custom roleMicrosoft.Authorization/ roleDefinitions/readUsers that are granted this operation at a scope can view the custom roles that are available for assignment at that scope. All built-in roles allow custom roles to be available for assignment.

No comments:

Post a Comment

Lab 09: Publish and subscribe to Event Grid events

  Microsoft Azure user interface Given the dynamic nature of Microsoft cloud tools, you might experience Azure UI changes that occur after t...