Hi @Anonymous ,
The Support Request Contributor role provides the following privileges:
Microsoft.Authorization/*/read | Read roles and role assignments |
Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
Microsoft.Support/* | Create and update a support ticket |
The Microsoft.Support/supportTickets/write action allows users to create and update support tickets, so it's the same as the Support Request Contributor role but without the role/role assignment and resource group permissions explicitly added.
I would recommend giving the Support Request Contributor role to just admins, SREs, and devs who might need to create support requests to make fixes if they break something. If you have people who might break things in your environment, it makes sense for them to be able to get unblocked.
There is an example here of creating a very similar custom role through Azure CLI that allows users to view everything in the control plane of a subscription and also open support tickets. In this example, you would start with a JSON template and create the new role definition based off of that template:
az role definition create --role-definition "~/CustomRoles/ReaderSupportRole.json"
{
"additionalProperties": {},
"assignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000"
],
"description": "View everything in the subscription and also open support tickets.",
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/22222222-2222-2222-2222-222222222222",
"name": "22222222-2222-2222-2222-222222222222",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Support/*"
],
"additionalProperties": {},
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "Reader Support Tickets",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Alternatively, you can add the role from the Azure Portal by going to Access control (IAM) > Add > Add custom role. There you can choose to add each permission manually from the portal, or upload JSON with all of the permissions listed. If you wanted to stick with the built-in role instead, you could just assign the built-in role via the access control pane in the Subscription.
To assign a custom role via ARM template, you can update the existing example and modify the actions (i.e. adding Microsoft.Support/supportTickets/write permissions). Or you can use this example for built-in roles.
Let me know if you have further questions or run into any issues.
If the information helped you, please Accept the answer. This will help us and improve discoverability for others in the community who may be researching similar questions.