Azure Resource Manager RBAC management practical tips
Please make sure that you have installed the latest Azure and Azure AD PowerShell libraries as I posted in my previous blogs. https://aka.ms/op0ndc
First let's login to Azure AD.
$cred = Get-Credential
Add-AzureRmAccount -Credential $mycred
Select-AzureRmSubscription -SubscriptionID '???'
This script lists all the role definitions.
Get-AzureRmRoleDefinition| Select-Object Name
This script lists all possible actions for a particular role.
(Get-AzureRmRoleDefinition -Name 'Virtual Machine Contributor').Actions
This script lists all possible operations for a resource provider.
Get-AzureRmProviderOperation 'Microsoft.Compute/*' | Select-Object Operation,OperationName | fl
This script lists all possible action operations for a resource provider.
Get-AzureRmProviderOperation 'Microsoft.Compute/*/action' | Select-Object Operation,OperationName | fl
In order to create a custom role definition in a subscription you own, you can clone an existing role defition and modify it by adding or removing resource provider operations. You can run the following script.
$subscriptionID = '???'
$role = Get-AzureRmRoleDefinition -Name 'Virtual Machine Contributor'
$role.Id= $null
$role.Name= 'My Custom VM Operator'
$role.Description= 'This custom role can monitor, start, and restart virtual machines.'
$role.Actions.RemoveRange(0,$role.Actions.Count)
$role.Actions.Add('Microsoft.Compute/*/read')
$role.Actions.Add('Microsoft.Compute/virtualMachines/start/action')
$role.Actions.Add('Microsoft.Compute/virtualMachines/restart/action')
$role.Actions.Add('Microsoft.Compute/virtualMachines/redeploy/action')
$role.Actions.Add('Microsoft.Compute/virtualMachines/poweroff/action')
$role.Actions.Add('Microsoft.Compute/virtualMachines/deallocate/action')
$role.Actions.Add('Microsoft.Network/*/read')
$role.Actions.Add('Microsoft.Storage/*/read')
$role.Actions.Add('Microsoft.Authorization/*/read')
$role.Actions.Add('Microsoft.Resources/subscriptions/resourceGroups/read')
$role.Actions.Add('Microsoft.Resources/subscriptions/resourceGroups/resources/read')
$role.Actions.Add('Microsoft.Insights/alertRules/*')
$role.Actions.Add('Microsoft.Support/*')
$role.AssignableScopes.Remove('/') | Out-Null
$role.AssignableScopes.Add('/subscriptions/' + $subscriptionID)
New-AzureRmRoleDefinition -Role $role
In order to remove the custom role you created, you can run the following script.
Get-AzureRmRoleDefinition 'My Custom VM Operator' | Remove-AzureRmRoleDefinition
In order to modify an existing custom role, you can run the following script.
$role = Get-AzureRmRoleDefinition 'My Custom VM Operator'
$role.Actions.Add("Microsoft.Insights/diagnosticSettings/*")
Set-AzureRmRoleDefinition -Role $role
In order to assign the custom role to different scopes, you can run the following script.
$role = Get-AzureRmRoleDefinition 'My Custom VM Operator'
$role.AssignableScopes.Add("/subscriptions/???")
Set-AzureRmRoleDefinition -Role $role
In order to clear all assignable scopes for a custom role, please run the following script.
$role = Get-AzureRmRoleDefinition 'My Custom VM Operator'
$role.AssignableScopes.Clear()
Set-AzureRmRoleDefinition -Role $role
In order to list all custom roles that are created, you can run the following script.
Get-AzureRmRoleDefinition | Where {$_.IsCustom -eq $true} | FT Name, IsCustom
If you get an error stating that "Registering the Resource Providers failed. The client does not have authorization to perform action over scope. Authorizationfailed. " for a delegated power user, even though you assign the person Owner role at Resource Group level in your Azure ARM RBAC mode, that means you need to register all resource providers. You can overcome this minor issue, by running the following script.
Add-AzureRmAccount
$subscriptions = Get-AzureRmSubscription
foreach ($sub in $subscriptions)
{select-AzureRmSubscription -SubscriptionId $sub.SubscriptionId
Get-AzureRmResourceProvider -ListAvailable | Register-AzureRmResourceProvider -Force
}