Azure Custom Roles: A Step-by-Step Guide to Creating and Managing

Creating custom roles in Azure is a straightforward process that can be completed in a few steps. You can create custom roles in the Azure portal.

First, you'll need to decide what permissions your custom role will have. This is done by selecting the permissions from the Azure built-in roles or by specifying custom permissions. You can also inherit permissions from an existing role.

To create a custom role, you'll need to provide a name and description. This will help you and others identify the role's purpose. The name should be descriptive and easy to understand.

The custom role will inherit all the permissions from the parent role, unless you specify otherwise. This means you can create a custom role that has fewer permissions than the parent role.

To create a custom role, you first need to determine the permissions you need, which can be done by looking at existing built-in roles and listing the Azure services you want to grant access to.

You can create custom roles using the Azure portal, Azure PowerShell, Azure CLI, or the REST API. The easiest way is to use the Azure portal.

Decide how you want to create the custom role. You can start with an existing built-in role and modify it for your needs. You will add the actions to the Actions or NotActions properties of the role definition.

To determine the permissions you need, you can look at existing built-in roles, list the Azure services you want to grant access to, determine the resource providers that map to the Azure services, and search the available permissions.

On the Basics tab, you specify the name, description, and baseline permissions for your custom role. The name must be unique for the Microsoft Entra directory and can include letters, numbers, spaces, and special characters.

Here are the basic steps to create a custom role:

You can also use the following methods to determine the permissions you need:

Remember to test your custom role to verify that it works as you expect. If you need to make adjustments later, you can update the custom role.

Custom roles in Azure have several properties and settings that you need to understand to create and manage them effectively.

The display name of the custom role, also known as roleName, is required and can include letters, numbers, spaces, and special characters. It must be unique at the scope of the Microsoft Entra tenant and can have a maximum of 512 characters.

The unique ID of the custom role, also known as name, is automatically generated when you create a new role using Azure PowerShell or Azure CLI.

You need to indicate whether the role is custom or built-in by setting the roleType property to true or CustomRole for custom roles, or false or BuiltInRole for built-in roles.

The description of the custom role, also known as description, is required and can include letters, numbers, spaces, and special characters. It can have a maximum of 2048 characters.

You can specify the control plane actions that the role allows to be performed by providing an array of strings in the actions property.

You can also specify the control plane actions that are excluded from the allowed actions by providing an array of strings in the notActions property.

Here is a summary of the properties and settings for custom roles:

You need to specify the scopes that the custom role is available for assignment by providing an array of strings in the assignableScopes property. The maximum number of assignableScopes is 2,000.

Managing Custom Roles is a crucial aspect of Azure Active Directory (Azure AD). To create a custom role, you must have the necessary permissions, such as the Microsoft.Authorization/roleDefinitions/write permission on all the assignable scopes.

You can create a custom role using the Azure portal or the Azure CLI. To create a custom role using the Azure portal, navigate to the Azure AD portal and access the "Roles and administrators" menu.

To update a custom role, use the Role Definitions - Create Or Update REST API. To call this API, you must be signed in with a user that is assigned a role that has the Microsoft.Authorization/roleDefinitions/write permission on all the assignable scopes.

To delete a custom role, remove any role assignments that use the custom role. You can do this by listing the custom role definition, getting the management groups, subscriptions, and resource groups in the AssignableScopes section, and then iterating over the AssignableScopes to list the role assignments.

Here are the steps to delete a custom role:

You can also use the Role Definitions - Delete REST API to delete a custom role. To call this API, you must be signed in with a user that is assigned a role that has the Microsoft.Authorization/roleDefinitions/delete permission on all the assignable scopes.

Here are the steps to delete a custom role using the Role Definitions - Delete REST API:

By following these steps, you can effectively manage custom roles in Azure AD.

To create and manage custom roles in Azure Active Directory, you'll need to meet some prerequisites. An organization must have an Azure AD Premium P1 or P2 license to create custom roles.

You'll also need to have the necessary permissions to create custom roles, such as being a Privileged Role Admin or Global Admin. This ensures that only authorized individuals can create and manage custom roles.

If you plan to use PowerShell to create and manage custom roles, you'll need to install the AzureADPreview module. This will give you the necessary tools to automate custom role creation and management.

To get started, you'll need to navigate to the Azure Active Portal and click on "Roles and administrators." From there, you can create a new custom role by clicking on the "+ New custom role" button.

Custom roles in Azure Active Directory allow you to grant permissions to users and groups, giving them the necessary access to perform specific tasks.

To create a custom role, you need to grant permissions in the Permissions section of the workflow. This is where you specify what actions and data permissions are allowed or denied.

You can also exclude permissions from a wildcard permission by clicking Exclude permissions to open the Exclude permissions pane. This is useful when you want to subtract specific permissions from an allowed wildcard permission, such as not allowing an export to be deleted.

Here's a summary of the permissions actions:

Wildcard permissions are a powerful tool in Azure, allowing you to grant access to a wide range of actions with a single permission. You can add wildcards (*) to define permissions, but it's recommended to specify actions and data actions explicitly instead of using wildcards.

A wildcard (*) extends a permission to everything that matches the action string you provide. For example, adding a wildcard string "Microsoft.Authorization/*" is equivalent to adding all the permissions related to Azure Cost Management and exports.

You can't add a new wildcard permission using the Add permissions pane, but you can add it manually using the JSON tab. Excluding permissions is not the same as denying, it's simply a convenient way to subtract permissions from a wildcard permission.

Here are some examples of how to use wildcards in permissions:

Wildcard permissions can be used to grant access to a wide range of actions, but be careful not to grant too much access, as it can lead to unwanted behavior. Excluding permissions is a useful way to subtract specific permissions from a wildcard permission.

Permissions are the foundation of access control in Azure Active Directory. You can grant permissions to a custom role by specifying the actions and data actions that the role can perform.

To grant permissions, you can use the Permissions section of the workflow when creating a new custom role. Here, you can select the actions and data actions that the role can perform, such as "Microsoft.Authorization/*/read" and "Microsoft.Billing/*/read".

You can also use the Exclude permissions feature to subtract specific permissions from a wildcard permission. This is useful when you want to exclude certain actions or data actions from a wildcard permission. For example, you can exclude the "delete" action from a wildcard permission that allows exporting data.

Here's an example of how to exclude a permission:

By using the Exclude permissions feature, you can fine-tune the permissions of your custom role and ensure that users have the right level of access to perform their tasks.

Here are some common actions and data actions that you can grant to a custom role:

Note that this is not an exhaustive list, and you can grant many other actions and data actions to a custom role depending on your specific requirements.

To view your custom roles, open a management group, subscription, or resource group and then open Access control (IAM). Click the Roles tab to see a list of all the built-in and custom roles. In the Type list, select CustomRole to just see your custom roles. If you just created your custom role and you don't see it in the list, click Refresh.

You can also use the Role Definitions - List REST API to list all custom role definitions in a tenant. This API allows you to filter based on the CustomRole type.

Here are the steps to list all custom role definitions in a tenant using the Role Definitions - List REST API:

To list custom role definitions at a scope, you can use the Role Definitions - List REST API with a modified scope and filter. Here are the steps:

You can also list a custom role definition by its display name using the Role Definitions - Get REST API. Here are the steps: