Unable to create Azure Custom Role using JSON and the PoweShell New-AzRoleDefinition ?

Question

When I execute the below PowerShell script to create a custom Azure Role based on the specific JSON content below.

Script:

$paramNewAzRoleDefinition = @{
	InputFile = C:\Custom.JSON
	Verbose   = $true
	Debug	  = $true
}
New-AzRoleDefinition @paramNewAzRoleDefinition

JSON File:

{
    "Name":  "Custom Role - Device Management Team",
    "IsCustom":  true,
    "Description":  "3rd party external contractor",
    "NotActions":  [
                   ],
    "Actions":  [
                    "Device.ReadWrite.All",
                    "DeviceManagementApps.ReadWrite.All",
                    "DeviceManagementConfiguration.ReadWrite.All",
                    "DeviceManagementManagedDevices.ReadWrite.All",
                    "DeviceManagementServiceConfig.ReadWrite.All",
					"Directory.ReadWrite.All"
                ],
    "AssignableScopes":  [
                             "d8423ac7-ea13-4ae7-8661-b53cdd2683c3"
                         ]
}

Error:

Body: { "error": { "code": "InvalidActionOrNotAction", "message": "'Device.ReadWrite.All' does not match any of the actions supported by the providers." } }

New-AzRoleDefinition : Operation returned an invalid status code 'BadRequest' +

  New-AzRoleDefinition @paramNewAzRoleDefinition

  ```haskell
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

• CategoryInfo : CloseError: (:) [New-AzRoleDefinition], ErrorResponseException
• FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleDefinitionCommand

Any help would be greatly appreciated.

Answer 1

@EnterpriseArchitect, Thanks for posting in Q&A.

For the error message, it may indicate that the JSON data format is not correct. Here are some links that may help you find the correct format.

https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-powershell#create-a-custom-role-with-json-template

https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azroledefinition?view=azps-12.3.0#description

Hope it will help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi @EnterpriseArchitect

Thank you for posting this in Microsoft Q&A.

I understand that you are trying to create a custom Azure role using PowerShell but are encountering a below error.

"Body: {"error": {"code": "InvalidActionOrNotAction", "message": "'Device.ReadWrite.All' does not match any of the actions supported by the providers." } }".

New-AzRoleDefinition creates a custom role in Azure RBAC. The error message indicates that 'Device.ReadWrite.All' does not correspond to any actions supported by the providers. This is because you are using Graph API permissions. Instead, you should specify valid Azure resource providers that can be secured using Azure RBAC. Below are some examples of valid operation strings.

• "Microsoft.Network/*/read" grants access to read operations for all resource types in the Microsoft.Network resource provider of Azure.
• "Microsoft.Compute/virtualMachines/*" grants access to all operations of virtual machines and its child resource types.

Use Get-AzProviderOperation to get the operations exposed by Azure resource providers.

For example:

Get-AzProviderOperation */virtualMachines/*--it gets all actions that can be performed on virtual machines

For more information: Get-AzProviderOperation

New-AzRoleDefinition

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.