Tutorial: Create an Azure custom role using Azure CLI

Se as funções incorporadas do Azure não suprirem as necessidades específicas da sua organização, pode criar as suas próprias funções personalizadas. For this tutorial, you create a custom role named Reader Support Tickets using Azure CLI. The custom role allows the user to view everything in the control plane of a subscription and also open support tickets.

Neste tutorial, você aprenderá a:

• Criar uma função personalizada
• Listar funções personalizadas
• Atualizar uma função personalizada
• Eliminar uma função personalizada

Se não tiver uma subscrição do Azure, crie uma conta gratuita antes de começar.

Pré-requisitos

Para concluir este tutorial, irá precisar de:

• Permissões para criar funções personalizadas, como Administrador de Acesso de Usuário
• Azure Cloud Shell ou CLI do Azure

Iniciar sessão na CLI do Azure

Sign in to Azure CLI.

Criar uma função personalizada

The easiest way to create a custom role is to start with a JSON template, add your changes, and then create a new role.

1. Review the list of actions for the Microsoft.Support resource provider. It's helpful to know the actions that are available to create your permissions.

   Ação	Descrição
   Microsoft.Support/register/action	Registers to Support Resource Provider
   Microsoft.Support/supportTickets/read	Gets Support Ticket details (including status, severity, contact details and communications) or gets the list of Support Tickets across subscriptions.
   Microsoft.Support/supportTickets/write	Creates or Updates a Support Ticket. You can create a Support Ticket for Technical, Billing, Quotas or Subscription Management related issues. You can update severity, contact details and communications for existing support tickets.

2. Create a new file named ReaderSupportRole.json.

3. Open ReaderSupportRole.json in an editor and add the following JSON.

   Para obter informações sobre as diferentes propriedades, consulte Funções personalizadas do Azure.

   {
     "Name": "",
     "IsCustom": true,
     "Description": "",
     "Actions": [],
     "NotActions": [],
     "DataActions": [],
     "NotDataActions": [],
     "AssignableScopes": [
       "/subscriptions/{subscriptionId1}"
     ]
   }
   

4. Add the following actions to the Actions property. These actions allow the user to view everything in the subscription and create support tickets.

   "*/read",
   "Microsoft.Support/*"
   

5. Get the ID of your subscription using the az account list command.

   az account list --output table
   

6. In AssignableScopes, replace {subscriptionId1} with your subscription ID.

   You must add explicit subscription IDs, otherwise you won't be allowed to import the role into your subscription.

7. Change the Name and Description properties to "Reader Support Tickets" and "View everything in the subscription and also open support tickets."

   O seu ficheiro JSON deverá ser semelhante ao seguinte:

   {
     "Name": "Reader Support Tickets",
     "IsCustom": true,
     "Description": "View everything in the subscription and also open support tickets.",
     "Actions": [
       "*/read",
       "Microsoft.Support/*"
     ],
     "NotActions": [],
     "DataActions": [],
     "NotDataActions": [],
     "AssignableScopes": [
       "/subscriptions/00000000-0000-0000-0000-000000000000"
     ]
   }
   

8. To create the new custom role, use the az role definition create command and specify the JSON role definition file.

   az role definition create --role-definition "~/CustomRoles/ReaderSupportRole.json"
   

   {
     "additionalProperties": {},
     "assignableScopes": [
       "/subscriptions/00000000-0000-0000-0000-000000000000"
     ],
     "description": "View everything in the subscription and also open support tickets.",
     "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/22222222-2222-2222-2222-222222222222",
     "name": "22222222-2222-2222-2222-222222222222",
     "permissions": [
       {
         "actions": [
           "*/read",
           "Microsoft.Support/*"
         ],
         "additionalProperties": {},
         "dataActions": [],
         "notActions": [],
         "notDataActions": []
       }
     ],
     "roleName": "Reader Support Tickets",
     "roleType": "CustomRole",
     "type": "Microsoft.Authorization/roleDefinitions"
   }
   

   The new custom role is now available and can be assigned to users, groups, or service principals just like built-in roles.

Listar funções personalizadas

• To list all your custom roles, use the az role definition list command with the --custom-role-only parameter.

  az role definition list --custom-role-only true
  

  [
    {
      "additionalProperties": {},
      "assignableScopes": [
        "/subscriptions/00000000-0000-0000-0000-000000000000"
      ],
      "description": "View everything in the subscription and also open support tickets.",
      "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/22222222-2222-2222-2222-222222222222",
      "name": "22222222-2222-2222-2222-222222222222",
      "permissions": [
        {
          "actions": [
            "*/read",
            "Microsoft.Support/*",
            "Microsoft.Resources/deployments/*",
            "Microsoft.Insights/diagnosticSettings/*/read"
          ],
          "additionalProperties": {},
          "dataActions": [],
          "notActions": [],
          "notDataActions": []
        }
      ],
      "roleName": "Reader Support Tickets",
      "roleType": "CustomRole",
      "type": "Microsoft.Authorization/roleDefinitions"
    }
  ]
  

  Também pode ver a função personalizada no portal do Azure.

  

Atualizar uma função personalizada

To update the custom role, update the JSON file and then update the custom role.

1. Open the ReaderSupportRole.json file.

2. No Actions, adicione a ação para criar e gerenciar implantações de grupos de recursos "Microsoft.Resources/deployments/*". Be sure to include a comma after the previous action.

   O seu ficheiro JSON atualizado deverá ser semelhante ao seguinte:

   {
     "Name": "Reader Support Tickets",
     "IsCustom": true,
     "Description": "View everything in the subscription and also open support tickets.",
     "Actions": [
       "*/read",
       "Microsoft.Support/*",
       "Microsoft.Resources/deployments/*"
     ],
     "NotActions": [],
     "DataActions": [],
     "NotDataActions": [],
     "AssignableScopes": [
       "/subscriptions/00000000-0000-0000-0000-000000000000"
     ]
   }
   

3. To update the custom role, use the az role definition update command and specify the updated JSON file.

   az role definition update --role-definition "~/CustomRoles/ReaderSupportRole.json"
   

   {
     "additionalProperties": {},
     "assignableScopes": [
       "/subscriptions/00000000-0000-0000-0000-000000000000"
     ],
     "description": "View everything in the subscription and also open support tickets.",
     "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/22222222-2222-2222-2222-222222222222",
     "name": "22222222-2222-2222-2222-222222222222",
     "permissions": [
       {
         "actions": [
           "*/read",
           "Microsoft.Support/*",
           "Microsoft.Resources/deployments/*"
         ],
         "additionalProperties": {},
         "dataActions": [],
         "notActions": [],
         "notDataActions": []
       }
     ],
     "roleName": "Reader Support Tickets",
     "roleType": "CustomRole",
     "type": "Microsoft.Authorization/roleDefinitions"
   }
   

Eliminar uma função personalizada

• Use the az role definition delete command and specify the role name or role ID to delete the custom role.

  az role definition delete --name "Reader Support Tickets"
  

Próximos passos

Create or update Azure custom roles using Azure CLI