Create a custom RBAC role in Azure

In Azure it is very easy to delegate rights to internal or external users. Some times the standard RBAC Role Defininitions are not sufficient to delegate at the right level of access. And that’s where custom RBAC roles come in. In this post we will go trough the process of creating a custom RBAC role in Azure.

You will need the Azure PowerShell module for this. In case you have not installed this yet, you can download it from here.

In case you are not yet familiair with Azure RBAC Role Definitions, it is good to first explore the existing role definitions and operations a bit in PowerShell.

#Login with your Azure Account and select the subscription you want to use. 

Login-AzureRmAccount
Get-AzureRmSubscription
Select-AzureRmSubscription -SubscriptionName “Developer Program Benefit”

First we will get the standard role definitions.

#List all standard role definitions
Get-AzureRmRoleDefinition | FT Name , Description – Autosize

Get-AzureRmRoleDefinition | FT Name , Description -AutosizeAs you can see there are already many Role Definitions. Before creating your own custom roles you should examine if you can use a standard role for what you want to achieve.  In some cases it can be handy to use a standard role as a base for your custom role.

Now let’s zoom in a bit on the actions for a specific role. In this case we look at the “Virtual Machine Contributor” role.

# Get all actions for a specific role definition
# In this example “Virtual Machine Contributor”
$VMContribRole = Get-AzureRmRoleDefinition “Virtual Machine Contributor”
$VMContribRole.Actions

customrole02

As you can see the “Virtual Machine Contributor” role defines the actions an user can do when the role is assigned to the user. On the first line you will see an action that is included in almost all standard roles: “Microsoft/Authorization/*/Read”. We will include this one in our custom role as well.

To get a full list of all the resources and the actions that can be assigned to a user, use the PowerShell line below:

Get-AzureRmProviderOperation *

With this extensive list of actions it is possible to create your own custom Role Definitions.

Example

In the following example we need to delegate the administration of The Notification Hub to a external user. We will create a custom role to be able to give the external user access to the Notification Hub. The Notification Hub is created in a Resource Group named “RGNotificationHub”.

From the full operation action listing it is clear we need something to do with “Microsoft.Notificationhubs” and “Microsoft.Resources/Subscriptions/ResourceGroups” in our custom role. We will scope the custom role to the Resource Group name “RGNotificationHub” so we can only assign the custom role to users for this resource group.

We are going to create a JSON file to create our own Custom Role Definition. Put in your own subscription ID and resource group name if applicable. If you want the custom role to be available throughout the subscription you can leave out the resource group part.

{
“Name”: “Notification Hub Administrators”,
“Description”: “Can manage Notification Hubs”,
“Actions”: [
“Microsoft.Authorization/*/read”,
“Microsoft.Notificationhubs/*”,
“Microsoft.Resources/Subscriptions/ResourceGroups/read”,
“Microsoft.Resources/Subscriptions/ResourceGroups/resources/read”
],
“AssignableScopes”: [“/subscriptions/12345678-1234-1234-1234-123456789012/ResourceGroups/RGNotificationHub”]
}

From powershell we will now create a new Custom Role with use of the created JSON file:

New-AzureRmRoleDefinition -InputFile “C:\Temp\NotificationHubAdmin.json”

customrole03Now we can assign the custom role to a user or group on a certain scope. This can be on Subscription Level for instance, but also on Resource Group Level. The test user used in the example is a standard user account and does not have any rights to Azure Subscriptions and Resources. We will assign the custom role to the scope, in this case the ResourceGroup RGNotificationHub.

customrole04

When we sign in with the test user, we only have access to the Resource Group RGNotificationHub and the NotificationHub resources in it. We have now successfully delegated the administrator of the Notification Hub.

customrole05

For other custom roles, the procedure is basically the same. Just let your imagination go wild.

In case you want more background information on Access Management and Custom Roles, the Azure Role Based Access Control Documentation is a good starting point.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s