Exercise - View and manage an Azure custom role

  • 7 minutes

In this unit, you'll view, update, and delete the Azure custom role you created in the previous exercise.

View custom roles within the portal

Let's use the Azure portal to see the custom roles in your subscription.

  1. Sign into the Azure portal with the same account you used for the previous exercise.

  2. Search for and select Subscriptions from the top of the Azure portal.

  3. Select the subscription to which you associated your custom role.

  4. Select Access control (IAM) > Roles.

    Screenshot that how to get to Access control (IAM) and Roles.

  5. Select Type > CustomRole.

    Screenshot that shows custom roles selected from drop-down list.

    You'll get a list of all the custom roles in your organization.

Update the custom role

We need to update the Virtual Machine Operator role to add permissions for a monitoring operation. We'll update that custom role to include the action Microsoft.Insights/diagnosticSettings/.

  1. Select Cloud Shell from the top right-hand side of the Azure portal.

  2. Type code into the Cloud Shell.

  3. Paste the definition below into the editor.

    {
 "Name": "Virtual Machine Operator",
 "IsCustom": true,
 "Description": "Can monitor and restart virtual machines.",
 "Actions": [
   "Microsoft.Storage/*/read",
   "Microsoft.Network/*/read",
   "Microsoft.Compute/*/read",
   "Microsoft.Compute/virtualMachines/start/action",
   "Microsoft.Compute/virtualMachines/restart/action",
   "Microsoft.Authorization/*/read",
   "Microsoft.ResourceHealth/availabilityStatuses/read",
   "Microsoft.Resources/subscriptions/resourceGroups/read",
   "Microsoft.Insights/alertRules/*",
   "Microsoft.Insights/diagnosticSettings/*",
   "Microsoft.Support/*"
 ],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
   "/subscriptions/subscriptionId1"
 ]
}

  4. In the AssignableScopes section, replace subscriptionId1 with your subscription ID. If you didn't save that value from the previous exercise, run the following command to get it:

     az account list  --output json | jq '.[] | .id, .name'

  5. Select Save from the three-dot menu on the top right-hand side of the Cloud Shell pane (or press CTRL + S in Windows or CMD + S in macOS).

  6. Enter vm-operator-role-new.json as the filename, then select Save.

  7. Select Close Editor from the three-dot menu on the top right-hand side of the Cloud Shell pane (or press CTRL + Q in Windows or CMD + Q in macOS).

  8. Run the following command to update the Virtual Machine Operator custom role:

    az role definition update --role-definition vm-operator-role-new.json

  9. Run the following command to verify the role definition is updated:

    az role definition list --name "Virtual Machine Operator" --output json | jq '.[] | .permissions[0].actions'

Delete the custom role

If you decide you no longer need the custom role, you need to remove the role assignments before you can delete the role.

  1. Run the following command to remove the role assignments for the custom role:

    az role assignment delete --role "Virtual Machine Operator"

  2. Run the following command to delete the custom role definition:

    az role definition delete --name "Virtual Machine Operator"

  3. Run the following command to verify the role is gone. If the role is still listed, wait a minute and run the command again:

    az role definition list --custom-role-only true