Creating a custom role with ability to grant lesser roles

Boris Ning 0 Reputation points


I'm in an enterprise where the mandate is to lock the ability to grant roles to a selective group of people as a best practice. Unfortunately, I'm not one of those group members.

I would love to use managed identity for resources as a best practice - with infrastructure as code in mind (ex. Terraform) but it requires me to file a ticket to a particular team, write down my needs, handle some email exchanges, to get an environment up and running. Simply a pain in the ass to both teams.

I'm looking for a way where they can grant a role to give to a Service Principal that can grant "lesser" roles such as Storage Container read to a storage account I control, or Eventhub reader on a Eventhub; I don't want/need it to be able to grant all of the roles, but just selective ones. Is this possible in Azure RBAC today?

Thank you,


Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
697 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sedat SALMAN 13,190 Reputation points

    Yes, it is possible to create a custom role in Azure RBAC (Role-Based Access Control) with the ability to grant lesser roles to specific resources. This can help you delegate certain permissions without granting full administrative access.

    • Identify the desired permissions: Determine the specific roles or permissions that you want to grant to the Service Principal. For example, you mentioned granting "Storage Container read" or "Eventhub reader" roles.
    • Create a custom role definition: Use the Azure portal, Azure CLI, or Azure PowerShell to create a custom role definition that includes the desired permissions. You can specify the exact actions, resources, and scope of the role.
    $roleName = "Custom Role"
    $roleDescription = "Custom role with limited permissions"
    $permissions = @{
        "actions" = @("Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.EventHub/namespaces/authorizationRules/listKeys/action")
        "notActions" = @()
        "dataActions" = @()
        "notDataActions" = @()
    New-AzRoleDefinition -Name $roleName -Description $roleDescription -Actions $permissions.actions -NotActions $permissions.notActions -DataActions $permissions.dataActions -NotDataActions $permissions.notDataActions
    • Assign the custom role to the Service Principal: Once the custom role definition is created, it can be assigned to the Service Principal associated with your resource. You can do this using the Azure portal, Azure CLI, or Azure PowerShell.
    $spObjectId = "<Service Principal Object ID>"
    $roleName = "Custom Role"
    New-AzRoleAssignment -ObjectId $spObjectId -RoleDefinitionName $roleName
    0 comments No comments