Role assignment for editing and exporting Assessments in Azure Migrate.

Question

I do not want to grant a colleague Contributor Role access to the Resource Group containing my Migration Project as it would grant him far too much power.
He only needs to edit, recalculate and export Assessments from the 'Azure Migrate: Discovery and Assessment' blade.
Is there a built-in role I am missing or is it possible to create a custom role for the job?

Answer 1

@Paul Shay Thank you for your post and I apologize for the delayed response!

You can create custom role for your requirement.

These are few actions that needs to be used to create custom role.

                "Microsoft.Migrate/assessmentprojects/groups/assessments/downloadurl/action",  
                "Microsoft.Migrate/migrateprojects/RefreshSummary/action",  
                "Microsoft.Migrate/projects/groups/assessments/downloadurl/action",  
                "Microsoft.OffAzure/ImportSites/importuri/action",  
                "Microsoft.OffAzure/ImportSites/exporturi/action",  
                "Microsoft.OffAzure/ServerSites/refresh/action",  
                "Microsoft.OffAzure/VMwareSites/exportapplications/action",  
                "Microsoft.OffAzure/VMwareSites/generateCoarseMap/action",  
                "Microsoft.OffAzure/VMwareSites/generateDetailedMap/action",  
                "Microsoft.OffAzure/VMwareSites/getApplications/action",  
                "Microsoft.OffAzure/VMwareSites/serverGroupMembers/action",  
                "Microsoft.OffAzure/VMwareSites/refresh/action",  
                "Microsoft.OffAzure/VMwareSites/clientGroupMembers/action",  
                "Microsoft.OffAzure/VMwareSites/exportDependencies/action"  

Add/ remove the actions as per your need.

Full JSON file

{  
    "id": "/subscriptions/6785ea1f-xxxx-4244-xxxx-94xxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxxxxxxxxx-044d-452a-8af0-xxxxxxxxxxxxx",  
    "properties": {  
        "roleName": "Azure Migrate xxxxxxxxxxx role",  
        "description": "This role shall be required for a user to access features like application inventory export and dependency map creation",  
        "assignableScopes": [  
            "/subscriptions/6785ea1f-xxxx-4244-xxxx-94xxxxxxxxx/resourceGroups/ContosoDemoRG"  
        ],  
        "permissions": [  
            {  
                "actions": [  
                    "Microsoft.Migrate/assessmentprojects/groups/assessments/downloadurl/action",  
                    "Microsoft.Migrate/migrateprojects/RefreshSummary/action",  
                    "Microsoft.Migrate/projects/groups/assessments/downloadurl/action",  
                    "Microsoft.OffAzure/ImportSites/importuri/action",  
                    "Microsoft.OffAzure/ImportSites/exporturi/action",  
                    "Microsoft.OffAzure/ServerSites/refresh/action",  
                    "Microsoft.OffAzure/VMwareSites/exportapplications/action",  
                    "Microsoft.OffAzure/VMwareSites/generateCoarseMap/action",  
                    "Microsoft.OffAzure/VMwareSites/generateDetailedMap/action",  
                    "Microsoft.OffAzure/VMwareSites/getApplications/action",  
                    "Microsoft.OffAzure/VMwareSites/serverGroupMembers/action",  
                    "Microsoft.OffAzure/VMwareSites/refresh/action",  
                    "Microsoft.OffAzure/VMwareSites/clientGroupMembers/action",  
                    "Microsoft.OffAzure/VMwareSites/exportDependencies/action"  
                ],  
                "notActions": [],  
                "dataActions": [],  
                "notDataActions": []  
            }  
        ]  
    }  
}  

Hope this helps!

----------------------------------------------------------------------------------------------------------------------

If the response helped, do "Accept Answer" and up-vote it