Forum Discussion
Create a custom role (VM Reader) for a user using PowerShell in Azure!
Hi Azure friends,
This example is about this customer scenario. A specific user needs to be able to read the settings of all VMs (virtual machines) in a specific subscription, but no more. Access to providers like Microsoft.Compute, Microsoft.Network and Microsoft.Storage, but just not anymore. So the Reader role in Azure is out of the question. For this reason I created a custom role with PowerShell (can also be done with the portal - as you wish).
I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments):
#The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE.
Set-Location C:\
Clear-Host
#We need the necessary cmdlets
Install-Module -Name Az -Force -AllowClobber -Verbose
#Log into Azure
Connect-AzAccount
#Please replace "your-subscription-id" with the ID of your subscription which have a format like this: #86f81fc3-b00f-48cd-8218-3879f51ff362
#Select the correct subscription
Get-AzContext
Get-AzSubscription
Get-AzSubscription -SubscriptionName "your subscription name" | Select-AzSubscription
#First look
Get-AzProviderOperation "Microsoft.Support/*" | FT Operation, Description -AutoSize
#Checking the roles for the intended user
Get-AzRoleAssignment -Scope "/subscriptions/your-subscription-id" -SignInName tim.taylor@tomwechsler.xyz
#Powershell create custom role
$role = Get-AzRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "VM Reader"
$role.Description = "Can see VMs"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Storage/*/read")
$role.Actions.Add("Microsoft.Network/*/read")
$role.Actions.Add("Microsoft.Compute/*/read")
$role.AssignableScopes.clear()
$role.AssignableScopes.Add("/subscriptions/your-subscription-id")
#Create the new role
New-AzRoleDefinition -Role $role
#Assign the new role
New-AzRoleAssignment -SignInName tim.taylor@tomwechsler.xyz -RoleDefinitionName "VM Reader" -Scope "/subscriptions/your-subscription-id"
#Checking the roles for the intended user
Get-AzRoleAssignment -Scope "/subscriptions/your-subscription-id" -SignInName tim.taylor@tomwechsler.xyz
Now we have assigned the new role to the user and you can perform the control in the portal. I know that wasn't super fancy at all. But I really wanted to share my experience with you.
I hope this article was useful. Best regards, Tom Wechsler
P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM, etc.) that I use can be found on github! https://github.com/tomwechsler
2 Replies
- TomWechsler
Thanks for the valuable sharing. I've a small clarification as below.
I understand that the example you explained covers "actions" under the permission.
Can we achieve "nonActions", "dataActions", "nonDataActions" as well via powershell?
I hope yes because I can see those objects when I read $role in powershell. Kindly share your thoughts.- It's a pleasure. Attached is a link to Microsoft Docs where you can get more information. I would work with a JSON template for notActions/notDataActions. Regards, Tom Wechsler
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-powershell
