How to create a custom role to provide RBAC only to certain team members to create MS support request.

Anonymous
2023-07-24T12:50:28.04+00:00

Need to give permission only to certain members in the team, to create Microsoft Support tickets. This RBAC has to be provided at the subscription level. Need to know -

  1. The custom role that can be implemented. Difference between Support Request Contributor role and Microsoft.Support/supportTickets/write (what all actions are permitted)
  2. How to implement this through Azure Portal and also ARM / Bicep template
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
878 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 37,141 Reputation points Microsoft Employee
    2023-07-25T00:41:59.69+00:00

    Hi @Anonymous ,

    The Support Request Contributor role provides the following privileges:

    Microsoft.Authorization/*/read Read roles and role assignments
    Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
    Microsoft.Support/* Create and update a support ticket

    The Microsoft.Support/supportTickets/write action allows users to create and update support tickets, so it's the same as the Support Request Contributor role but without the role/role assignment and resource group permissions explicitly added.

    I would recommend giving the Support Request Contributor role to just admins, SREs, and devs who might need to create support requests to make fixes if they break something. If you have people who might break things in your environment, it makes sense for them to be able to get unblocked.

    There is an example here of creating a very similar custom role through Azure CLI that allows users to view everything in the control plane of a subscription and also open support tickets. In this example, you would start with a JSON template and create the new role definition based off of that template:

    az role definition create --role-definition "~/CustomRoles/ReaderSupportRole.json"
    {
      "additionalProperties": {},
      "assignableScopes": [
        "/subscriptions/00000000-0000-0000-0000-000000000000"
      ],
      "description": "View everything in the subscription and also open support tickets.",
      "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/22222222-2222-2222-2222-222222222222",
      "name": "22222222-2222-2222-2222-222222222222",
      "permissions": [
        {
          "actions": [
            "*/read",
            "Microsoft.Support/*"
          ],
          "additionalProperties": {},
          "dataActions": [],
          "notActions": [],
          "notDataActions": []
        }
      ],
      "roleName": "Reader Support Tickets",
      "roleType": "CustomRole",
      "type": "Microsoft.Authorization/roleDefinitions"
    }
    

    Alternatively, you can add the role from the Azure Portal by going to Access control (IAM) > Add > Add custom role. There you can choose to add each permission manually from the portal, or upload JSON with all of the permissions listed. If you wanted to stick with the built-in role instead, you could just assign the built-in role via the access control pane in the Subscription.

    To assign a custom role via ARM template, you can update the existing example and modify the actions (i.e. adding Microsoft.Support/supportTickets/write permissions). Or you can use this example for built-in roles.

    Let me know if you have further questions or run into any issues.

    If the information helped you, please Accept the answer. This will help us and improve discoverability for others in the community who may be researching similar questions.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.