Creating an Azure custom role using Azure PowerShell

With the help of this tutorial you will know about Creating an Azure custom role using Azure PowerShell. If the built-in Azure roles don’t fit your organization’s needs, you may design your own custom roles.

Signing in to Azure PowerShell

The fist step is to Sign in to Azure PowerShell.

Creating a custom role

Starting with a built-in role, altering it, and then establishing a new role is the simplest approach to developing a custom role.

In PowerShell, you can use the Get-AzProviderOperation command to obtain the list of operations for the Microsoft.Support resource provider. Knowing the procedures that are available to build your permissions is really useful. At Azure Resource Manager resource provider operations, you may view a list of all the operations accessible.

Get-AzProviderOperation “Microsoft.Support/*” | FT Operation, Description -AutoSize

Operation Description
——— ———–
Microsoft.Support/register/action Registers to Support Resource Provider
Microsoft.Support/supportTickets/read Gets Support Ticket details (including status, severity, contact …
Microsoft.Support/supportTickets/write Creates or Updates a Support Ticket. You can create a Support Tic…

Use the Get-AzRoleDefinition command to produce output the Reader role in JSON format.

Get-AzRoleDefinition -Name “Reader” | ConvertTo-Json | Out-File C:\CustomRoles\ReaderSupportRole.json

Open the ReaderSupportRole.json file in an editor after you are done with the above steps.

The following output shows the JSON output.

{
“Name”: “Reader”,
“Id”: “acdd72a7-3385-48ef-bd42-f606fba81ae7”,
“IsCustom”: false,
“Description”: “Lets you view everything, but not make any changes.”,
“Actions”: [
“*/read”
],
“NotActions”: [],
“DataActions”: [],
“NotDataActions”: [],
“AssignableScopes”: [
“/”
]}

• Select Edit the JSON file to add the "Microsoft.Support/*" operation to the Actions property. make sure to include a comma after the read operation. This action will allow the user to create support tickets.
• Get the ID of your subscription using the Get-AzSubscription command.

• In AssignableScopes, add your subscription ID with the following format: "/subscriptions/00000000-0000-0000-0000-000000000000"You must add explicit subscription IDs, otherwise you won’t be allowed to import the role into your subscription.
• Now, Delete the Id property line and change the IsCustom property to true.
• Subsequently, Alter the Name and Description properties to “Reader Support Tickets” and “View everything in the subscription and also open support tickets.”
• To create the new custom role, however, use the New-AzRoleDefinition command and specify the JSON role definition file.

List custom roles

• Firstly, To list all your custom roles, use the Get-AzRoleDefinition command. You can also see the custom role in the Azure portal.

Update a custom role

To update the custom role, you could update the JSON file or use the PSRoleDefinition object.

• Firstly, To update the JSON file, use the Get-AzRoleDefinition command to output the custom role in JSON format.

• Now, click Open the file in an editor.
• In Actions, now, add the operation to create and manage resource group deployments "Microsoft.Resources/deployments/*".

• However, To update the custom role, use the Set-AzRoleDefinition command and specify the updated JSON file.
• To use the PSRoleDefintion object to update your custom role, firstly use the Get-AzRoleDefinition command to get the role.
• Furthermore, Call the Add method to add the operation to read diagnostic settings.
• Use the Set-AzRoleDefinition finally to update the role.

Delete a custom role

• Firstly, Use the Get-AzRoleDefinition command to get the ID of the custom role.
• After that, Use the Remove-AzRoleDefinition command and specify in detail the role ID to delete the custom role.
• When you will be asked to confirm, type Y.

Go back to home page

Reference documentation – Tutorial: Create an Azure custom role using Azure PowerShell