Azure RBAC Custom Roles

What is RBAC in Azure?

RBAC stands for Role-Based Access Control, RBAC is an important component for cloud resources. Because Access management is a critical function for cloud resources. RBAC helps cloud administrators, architectures to follow best practice and provide a secure management environment for cloud resources.

RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.

How RBAC Use?

  • Allow one user to manage only the network resources and another user to manage virtual machines.
  • Allow DB administrators to manage SQL DB in subscription
  • Allow user to manage all the resources in resource group
  • Allow application to access the resources in resource group
  • Allow user to manage only specific resource
  • Give read only access to users

Best Practises for Using RBACs

With the use of RBAC, administrators can segregate duties to individuals who need resource access for Azure resources. So this helps to give only the permissions users need to perform their jobs. This stops giving unwanted permissions to the Azure subscriptions or resources.

Security Principles

Security Priciples repreent a User,Group,Service Principle or Managed Identity.

  • User – An individual who has the account or identity in Azure Active Directory.
  • Group – A set of users created in Azure Active Directory. When you assign a role to a group, all users within that group have that role.
  • Service Principle – A security identity used by applications or services to access specific Azure resources.
  • Managed Identity – An identity in Azure Active Directory that is automatically managed by Azure. 

Role Definition

Role definition is a collection of permission applies to a specific role. This defines the list of operation can be performed by the specific role. Following is an example of role definition.

Role definition for a role assignment

Inside Azure IAM it includes several built-in roles to use for RBAC permissions. These built-in roles are divided based on the Azure services

Following are few built-in roles

  • Owner
  • Contributor
  • Reader
  • User Access Administrator

RBAC Custom Roles

The custom role is the way of creating your own role with relevant permission attached. this is very useful if we can’t find a build-in role with permission we required to provide. For example, if the user needs to provide only to start and restart VMs, then we need to create a custom role for it.

Following is a role definition for custom role

  "Name": "Virtual Machine Operator(Start/Restart)",
  "Id": "88888888-8888-8888-8888-888888888888",
  "IsCustom": true,
  "Description": "Read Access & restart virtual machines.",
  "Actions": [
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [

In the above JSON under the action, we need to specify the actions that can be performed by the role. As you can see from above Microsoft.Compute/virtualMachines/start/action and Microsoft.Compute/virtualMachines/restart/action will allow only to start and restart the servers. But you can see additional read permissions also. provided such as read access to resource groups, storage, network, and compute. We need to provide those read permissions otherwise user can’t list down the resources and the details.

Following command can use to create custom role in Azure

az role definition create --role-definition VM-Read-start-restart.json

Following Demo shows how to create custom roles.

Additional Links