New-AzureRmRoleDefinition

Creates a custom role in Azure RBAC. Provide either a JSON role definition file or a PSRoleDefinition object as input. First, use the Get-AzureRmRoleDefinition command to generate a baseline role definition object. Then, modify its properties as required. Finally, use this command to create a custom role using role definition.

Warning

The AzureRM PowerShell module has been officially deprecated as of February 29, 2024. Users are advised to migrate from AzureRM to the Az PowerShell module to ensure continued support and updates.

Although the AzureRM module may still function, it's no longer maintained or supported, placing any continued use at the user's discretion and risk. Please refer to our migration resources for guidance on transitioning to the Az module.

Syntax

New-AzureRmRoleDefinition
   [-InputFile] <String>
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]
New-AzureRmRoleDefinition
   [-Role] <PSRoleDefinition>
   [-DefaultProfile <IAzureContextContainer>]
   [<CommonParameters>]

Description

The New-AzureRmRoleDefinition cmdlet creates a custom role in Azure Role-Based Access Control. Provide a role definition as an input to the command as a JSON file or a PSRoleDefinition object. The input role definition MUST contain the following properties:

  1. DisplayName: the name of the custom role
  2. Description: a short description of the role that summarizes the access that the role grants.
  3. Actions: the set of operations to which the custom role grants access. Use Get-AzureRmProviderOperation to get the operation for Azure resource providers that can be secured using Azure RBAC. Following are some valid operation strings:
  • "*/read" grants access to read operations of all Azure resource providers.
  • "Microsoft.Network/*/read" grants access to read operations for all resource types in the Microsoft.Network resource provider of Azure.
  • "Microsoft.Compute/virtualMachines/*" grants access to all operations of virtual machines and its child resource types.
  1. AssignableScopes: the set of scopes (Azure subscriptions or resource groups) in which the custom role will be available for assignment. Using AssignableScopes you can make the custom role available for assignment in only the subscriptions or resource groups that need it, and not clutter the user experience for the rest of the subscriptions or resource groups. Following are some valid assignable scopes:
  • "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e", "/subscriptions/e91d47c4-76f3-4271-a796-21b4ecfe3624": makes the role available for assignment in two subscriptions.
  • "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e": makes the role available for assignment in a single subscription.
  • "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network": makes the role available for assignment only in the Network resource group. The input role definition MAY contain the following properties:
  1. NotActions: the set of operations that must be excluded from the Actions to determine the effective actions for the custom role. If there is a specific operation that you do not wish to grant access to in a custom role, it is convenient to use NotActions to exclude it, rather than specifying all operations other than that specific operation in Actions.
  2. DataActions: the set of data operations to which the custom role grants access.
  3. NotDataActions: the set of operations that must be excluded from the DataActions to determine the effective dataactions for the custom role. If there is a specific data operation that you do not wish to grant access to in a custom role, it is convenient to use NotDataActions to exclude it, rather than specifying all operations other than that specific operation in Actions. NOTE: If a user is assigned a role that specifies an operation in NotActions and also assigned another role grants access to the same operation - the user will be able to perform that operation. NotActions is not a deny rule - it is simply a convenient way to create a set of allowed operations when specific operations need to be excluded. Following is a sample json role definition that can be provided as input { "Name": "Updated Role", "Description": "Can monitor all resources and start and restart virtual machines", "Actions": [ "/read", "Microsoft.ClassicCompute/virtualmachines/restart/action", "Microsoft.ClassicCompute/virtualmachines/start/action" ], "NotActions": [ "/write" ], "DataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" ], "NotDataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" ], "AssignableScopes": ["/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"] }

Examples

Create using PSRoleDefinitionObject

PS C:\> $role = Get-AzureRmRoleDefinition -Name "Virtual Machine Contributor"
          PS C:\> $role.Id = $null
          PS C:\> $role.Name = "Virtual Machine Operator"
          PS C:\> $role.Description = "Can monitor, start, and restart virtual machines."
          PS C:\> $role.Actions.RemoveRange(0,$role.Actions.Count)
          PS C:\> $role.Actions.Add("Microsoft.Compute/*/read")
          PS C:\> $role.Actions.Add("Microsoft.Compute/virtualMachines/start/action")
          PS C:\> $role.Actions.Add("Microsoft.Compute/virtualMachines/restart/action")
          PS C:\> $role.Actions.Add("Microsoft.Compute/virtualMachines/downloadRemoteDesktopConnectionFile/action")
          PS C:\> $role.Actions.Add("Microsoft.Network/*/read")
          PS C:\> $role.Actions.Add("Microsoft.Storage/*/read")
          PS C:\> $role.Actions.Add("Microsoft.Authorization/*/read")
          PS C:\> $role.Actions.Add("Microsoft.Resources/subscriptions/resourceGroups/read")
          PS C:\> $role.Actions.Add("Microsoft.Resources/subscriptions/resourceGroups/resources/read")
          PS C:\> $role.Actions.Add("Microsoft.Insights/alertRules/*")
          PS C:\> $role.Actions.Add("Microsoft.Support/*")
          PS C:\> $role.AssignableScopes.Clear()
          PS C:\> $role.AssignableScopes.Add("/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")

          PS C:\> New-AzureRmRoleDefinition -Role $role

Create using JSON file

PS C:\> New-AzureRmRoleDefinition -InputFile C:\Temp\roleDefinition.json

Parameters

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Type:IAzureContextContainer
Aliases:AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-InputFile

File name containing a single json role definition.

Type:String
Position:0
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Role

Role definition object.

Type:PSRoleDefinition
Position:0
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

Inputs

None

Outputs

PSRoleDefinition

Notes

Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment