What roles does my user need to have assigned in order to be able to create custom roles (RBAC)?

Nicolas Raddatz 20 Reputation points
2024-09-25T14:15:03.09+00:00

Hi everyone,

I'm trying to create a custom role for users to be able to start/restart/stop the VMs they have access to, following this article.

However, when I try to create a custom role from Azure CLI, I'm getting the following error:

The client xxx with object id xxx does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/write' over scope '/subscriptions/[my subscription id]/providers/Microsoft.Authorization/roleDefinitions/d31d7669-45bf-xxxx-xxxx-494fb02b1f00' or the scope is invalid

The "Create a custom role" option in Azure Portal UI is also disabled. My user's current role assignments for this subscription are as follows:

  • Contributor
  • Reader
  • Role Based Access Control Administrator
  • Security Admin
  • Virtual Machine Data Access Administrator (preview)

Shouldn't "Role Based Access Control Administrator" be enough for my user to be able to create custom roles? What am I missing?

Appreciate your help!

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
809 questions
{count} votes

Accepted answer
  1. Navya 10,955 Reputation points Microsoft Vendor
    2024-09-26T01:40:54.7666667+00:00

    Hi @Nicolas Raddatz

    Thank you for posting this in Microsoft Q&A.

    I understand you are trying to create Azure custom roles (RBAC) using Azure CLI but getting error "The client xxx with object id xxx does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/write' over scope '/subscriptions/[my subscription id]/providers/Microsoft.Authorization/roleDefinitions/d31d7669-45bf-xxxx-xxxx-494fb02b1f00' or the scope is invalid".

    Based on the error you don't have permissions to create custom (RBAC) on the subscription.

    In order to create Azure custom roles (RBAC), you must have either Owner or User administrator roles. Role-based Access Control Administrator is not sufficient for creating custom roles (RBAC).

    For your reference: https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles-cli

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.