In Azure we can find large number of roles available and we can assigned to users and groups. In those roles we can find that some roles can be assign to any resource type in azure and some are more specific to resource. You may think that we we cant create roles as per our requirement, you may wrong we can create a custom role using PowerShell and JSON template. But this feature is still not available in azure portal. So from this post I’ll take through how to create custom role for virtual machines.
View the actions we can grant for role(here I selected the providers that relevant to virtual machines)
When you execute following cmdlets you will see each provider operation, and you can use which provider operation to include to custom role
Get-AzureRmProviderOperation -OperationSearchString "Microsoft.Compute/*" Get-AzureRmProviderOperation -OperationSearchString "Microsoft.Compute/virtualMachines/*/action" | ft Operation, OperationName Get-AzureRmProviderOperation -OperationSearchString "Microsoft.Network/*" Get-AzureRmProviderOperation -OperationSearchString "Microsoft.Storage/*"
Export a slimier role equivalent to the custom role (export as a JSON) for this example I used “Virtual Machine Contributor” role
Get-AzureRmRoleDefinition -Name "Virtual Machine Contributor" | ConvertTo-Json | Out-File C:\Users\kasun\Desktop\TestDemos\vmoperator.json
Open up the JSON file in VS Code
Delete the two lines that are the ID and IsCustom and Name and Role Description
Change the permissions for the resources to those actually required for this I used following permissions
"Microsoft.Compute/*/read", "Microsoft.Network/*/read", "Microsoft.Storage/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Support/*", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*"
For the AssignableScopes you must set the subscription that the role will apply.Change the “/” line to “/subscriptions/<your subscription GUID>”
Save the JSON file and Import using PowerShell
New-AzureRmRoleDefinition -InputFile C:\Users\kasun\Desktop\TestDemos\vmoperator.json
In azure portal we can see the custom role and its permissions
