Implementing An Azure Custom Role Using Azure PowerShell

Introduction 

 
This article demonstrates how we can create custom roles in Azure. In case Azure inbuilt roles are not sufficient or fulfill your requirement, then we create custom roles as per need.
 
Let’s say you want to have a role that has a combination of access permissions for Azure Compute Instance and Azure Storage Instance.
 
Prerequisites
  • Permissions to create custom roles, such as Owner or User Access Administrator
  • Azure PowerShell

Create a Custom Role definition JSON file

 
First, we need to create a role definition JSON file. Here I am giving an example of a role definition file and named it “samplerole.json”.
  1. {    
  2.   "Name""My Custom Role",    
  3.   "Id"null,    
  4.   "IsCustom"true,    
  5.   "Description""Allows for read access to Azure VMs and Storage Accounts",    
  6.   "Actions": [    
  7.     "Microsoft.Compute/*/read",    
  8.     "Microsoft.Storage/*/read"    
  9.   ],    
  10.   "NotActions": [],    
  11.   "AssignableScopes": [    
  12.     "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"    
  13.   ]    
  14. }     
In the role definition file, we need to give a meaningful name for the role. In my case, it is “My Custom Role”. Remember this role will actually refer to Azure.
 
In addition, we need a description of the role and then action, which is nothing, but what actions are permissible for the user. Here, users would have read-only access onto all of the computer services in Azure and read access to storage.
 
Finally, in the assignable scopes, we are assigning Azure subscription Id for which role will be added.
 
You can take a subscription ID from the Azure Portal as shown below.
 
 

Upload a Role Definition and Assignment

 
All right! The role JSON file is now ready to upload. Now go to Azure cloud shell to upload that file.
 
 
Once the file upload is successful, we are going to execute some commands in Azure Powershell.
 
The first thing is to use that file and create a completely new role definition using the below command.
  1. New-AzRoleDefinition -InputFile "samplerole.json"  
 
Once you have a role definition in place, we can actually now assign that role. We can do it from the Azure portal as well. However, we can use the below command and assign the role as a new AZ role assignment.
  1. New-AzRoleAssignment -ResourceGroupName cloud-shell-storage-westeurope -SignInName user3@anupamxxxxxxxxxx.onmicrosoft.com -RoleDefinitionName "My Custom Role"  
Here, we are assigning roles to the resource group level. To do that, mention the Resource Group Name, sign in name, which is nothing but the user you want to assign the role. In addition, the role definition names (This would the name which is given inside samplerole.json file).
 
 
Now the role has been assigned to a user.
 
Now go to the Azure portal and check role assignments onto the resource group from Access control (IAM).
 
 
In addition, if you look at the Roles tab you can see custom role there as well.
 
 
Awesome! The custom role that has been registered in Azure and we can go ahead and make use of the role.
 

Deleting a Custom Role

 
In case if, you want to go ahead and delete that role, first delete the role assignment then after deleting the custom role. Otherwise, you will get an error as shown below
Remove-AzRoleDefinition: There are existing role assignments referencing role c5104a7d-4fcd-4eff-a2a3-8e883619417b. The role assignments must be deleted before the role can be deleted.
 
To remove role assignment, we can run the below command first. This command similar to a new role assignment. The following example removes My Custom Role assignment from the user3@anupamxxxxxxxx.onmicrosoft.com user on the cloud-shell-storage-westeurope resource group.
  1. Remove-AzRoleAssignment -ResourceGroupName cloud-shell-storage-westeurope -SignInName user3@anupamxxxxxxxx.onmicrosoft.com -RoleDefinitionName "My Custom Role"  
To delete a custom role, use the Remove-AzRoleDefinition command.
  1. Get-AzRoleDefinition "My Custom Role" | Remove-AzRoleDefinition  
 
You can easily achieve the same functionality through the Azure portal as well. For that, we need to delete the role assignment first then from the roles tab, select custom role, and then click on remove.
 

Conclusion

 
In this article, we have seen how we can create a custom role from Azure PowerShell and how newly created roles assigned to a user, and finally, we deleted that custom role. Hope you gained some insights into this topic and found this information useful!