In this video, learn how to create a custom RBAC role using PowerShell.
- [Instructor] When a built-in role is not granular enough to meet your needs, you can create a custom role. Custom roles can only be created using PowerShell, Azure Command Line Interface, or the Rest API, and this is an exam objective. For this demonstration, I've already gone ahead and created a script. And the first step in this script is to list the operations of the role. Now, this is not necessary to create a custom role, but it can be helpful. Here we're gonna get a list of all the provider operations for Microsoft Compute, and to do that use Get-AzureRMProviderOperation for Microsoft Compute.
And these are all the operations that are available under Microsoft Compute. I'm gonna go ahead and create a new custom role for Restore Point Collections, so I will need all of the information for Restore Point Collections. Again, this is not critical. I just wanted to show it to you. Microsoft recommends that you edit a current role instead of creating a new one. To do so, we're gonna output the Contributor role. To do so, use the command Get-AzureRMRoleDefinition.
We're specifying the Contributor role. We're gonna convert this to a JSON file, and the output file will be on our desktop. Let's go ahead and take a look at that role in Visual Studio. If we take a look at this role in its JSON format, we can see the name, which is Contributor, the ID, a description. It tells us we can manage everything except access to resources and we can see the actions is an asterisk, meaning we have access to everything.
And then to prevent actions to resources, we'll include not actions. I have already gone ahead and modified this JSON file and saved it for Managing Restore Point Collections. Here I've changed the name as well as the description. I've included the read operation for the entire subscription, and I've included everything that falls under Microsoft Compute Restore Point Collections, and I've already saved this.
Let's pop back to our script. Now we can go ahead and input the new role. To do so, you'll use New-AzureRMRoleDefinition InputFile and then the path to the file itself. We can now see our custom role is available to us, and it's available at the subscription level. Next I can list all of the custom roles, and you'll do that by using Get-AzureRMRoleDefinition, and we're specifying custom is true.
And you'll notice that we now have the Manage Restore Point Collections role, as well as we already had an existing one called Virtual Machine Operator. Now before I go ahead and delete the custom role, let's take a look at it in Azure. From within Azure in one of the resource groups, I'm gonna go ahead and select roles, and you can see the Virtual Machine Operator role, and you'll notice that it has a slightly different color. It is orange. If I scroll down, you will now see our new Manage Restore Point Collections role.
If I want to delete the role, I will need the role definition ID, and in order to retrieve that, you'll use the command Get-AzureRMRoleDefinition, specifying that custom role. And here is the ID. And then you'll need to enter in that ID for Remove-AzureRoleDefinition and then provide the ID.
I'm prompted with a warning. Am I sure I want to remove this role definition? Yes I do. And if all went well, we should only have one custom role available, the Virtual Machine Operator. Creating custom roles is not difficult. It just requires several steps.
- Managing Azure subscriptions and resources
- Implementing and managing storage
- Configuring and managing virtual networks
- Managing identities
- Evaluating and performing server migration to Azure
- Implementing and managing application services
- Implementing advanced virtual networking
- Securing identities