Custom Roles in Azure

In Azure we can find  large number of roles available and we can assigned to users and groups. In those roles we can find that some roles can be assign to any resource type in azure and some are more specific to resource. You may think that we we cant create roles as per our requirement, you may wrong we can create a custom role using PowerShell and JSON template. But this feature is still not available in azure portal. So from this post I’ll take through how to create custom role for virtual machines.

View the actions we can grant for role(here I selected the providers that relevant to virtual machines)

When you execute following cmdlets you will see each provider operation, and you can use which provider operation to include to custom role

Get-AzureRmProviderOperation -OperationSearchString "Microsoft.Compute/*"
Get-AzureRmProviderOperation -OperationSearchString "Microsoft.Compute/virtualMachines/*/action" | ft Operation, OperationName
Get-AzureRmProviderOperation -OperationSearchString "Microsoft.Network/*"
Get-AzureRmProviderOperation -OperationSearchString "Microsoft.Storage/*"

Export a slimier role equivalent to the custom role (export as a JSON) for this example I used “Virtual Machine Contributor” role

Get-AzureRmRoleDefinition -Name "Virtual Machine Contributor" | ConvertTo-Json | Out-File C:\Users\kasun\Desktop\TestDemos\vmoperator.json

Open up the JSON file in VS Code

Delete the two lines that are the ID and IsCustom and Name and Role Description 

Change the permissions for the resources to those actually required for this I used following permissions


For the AssignableScopes you must set the subscription that the role will apply.Change the “/” line to “/subscriptions/<your subscription GUID>”

Save the JSON file and Import using PowerShell

New-AzureRmRoleDefinition -InputFile C:\Users\kasun\Desktop\TestDemos\vmoperator.json


In azure portal we can see the custom role and its permissions