Azure RBAC
Review built-in roles
bash
az role definition list --name "Virtual Machine Contributor" --output json | jq '.[] | .permissions[0].actions'powershell
Get-AzRoleDefinition -Name "Virtual Machine Contributor" | Select Actions | ConvertTo-JsonFind resource provider operations
bash
az provider operation showpowershell
Get-AzProviderOperation */virtualMachines/*Create Role
bash
az role definition create --role-definition vm-operator-role.jsonpowershell
New-AzRoleDefinition -InputFile "vm-operator-role.json"Update Role
bash
az role definition update --role-definition "<<path-to-json-file>>"powershell
Set-AzRoleDefinition -InputFile "<<path-to-json-file>>"View Custom Role
bash
az role definition list --custom-role-only true --output json | jq '.[] | {"roleName":.roleName, "roleType":.roleType}'powershell
Get-AzRoleDefinition | ? {$_.IsCustom -eq $true} | FT Name, IsCustomView Role Definition
bash
az role definition list --name "Virtual Machine Operator"powershell
Get-AzRoleDefinition "Virtual Machine Operator"View Custom Role Assignment
bash
az role assignment list --role "Virtual Machine Operator"powershell
Get-AzRoleAssignment -RoleDefinitionName "Virtual Machine Operator"Delete Role
bash
az role definition delete --name "role name"powershell
Get-AzRoleDefinition "role name" | Remove-AzRoleDefinitionAssign Role
bash
az role assignment create --assignee "<UPN>" --role "Virtual Machine Operator"Assign Role 2
bash
az role assignment create \
--assignee rbacuser@example.com \
--role "Owner" \
--subscription <subscription_name_or_id>powershell
New-AzRoleAssignment `
-SignInName rbacuser@example.com `
-RoleDefinitionName "Owner" `
-Scope "/subscriptions/<subscriptionID>"Remove Assignment Role
bash
az role assignment delete --role "role name"powershell
Remove-AzRoleAssignment -ObjectId <object_id> -RoleDefinitionName "role name" -Scope /subscriptions/<subscription_id>