Az-104 Create Custom RBAC Roles

Az-104 Create Custom RBAC Roles

What is RBAC?

Azure role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources. Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs.

Azure includes several built-in roles that you can use. The following are the four fundamental built-in roles. The first three apply to all resource types.

  • Owner — Has full access to all resources including the right to delegate access to others.
  • Contributor — Can create and manage all types of Azure resources but can’t grant access to others.
  • Reader — Can view existing Azure resources.
  • User Access Administrator — Lets you manage user access to Azure resources.

Create a RBAC role using Json file

Follow the steps below to create custom RBAC role.

  • Copy the below code to Notepad and review its content.
  • Replace the SUBSCRIPTION_ID placeholder in the JSON file with the subscription ID of your Azure account and save the change.
    • {“Name”: “Support Request Analyst”,”IsCustom”: true,”Description”: “Allows to create support requests”,”Actions”: [“Microsoft.Resources/subscriptions/resourceGroups/read”,”Microsoft.Support/*”],”NotActions”: [],”AssignableScopes”: [“/providers/Microsoft.Management/managementGroups/aztest-123″,”/subscriptions/Subscription_ID”]


  • From local computer, open Windows PowerShell ISEpane by searching in search bar. You can use CloudShell in Azure portal. However, you would need a Resource Group and Storge account to be created before using it and Azure will cost you for those resources.
  • Type Login-AzAccount in the prompt, it will redirect you to the Microsoft Azure sign-in page. Provide your Azure account and password.

  • You will be connected to Azure domain once you successfully sign-in. please validate the details such as Account, SubscriptionName , SubscriptionID, TenantID and Environment to make sure that you have connected to the right domain.

  • Navigate the folder where the .Json file is placed, run New-AzureRmRoleDefinition “Test.json” to create custom RBAC role.
  • New custom role is successfully created as prompted below.

  • Assign the custom RBAC role to the user. For that, I am going to create a new user with name “RBAC” as below.

  • In the Azure portal, navigate back to your management group and display its details.
  • Click Access control (IAM), click + Add followed by Role assignment, and assign the Support Request Analyst role to the newly created user account.


In this article, we have talked about RBAC, creating custom RBAC and assigned that tole to a newly created user. Based your requirement, you can create as many as custom RBAC roles to control access to Azure resources.

By |2021-07-01T10:41:27-05:00June 15th, 2021|Categories: Az-104, Azure, Azure IAM, Azure Resource Manager, Management Groups, Microsoft Azure, RBAC|Tags: , , , |Comments Off on Az-104 Create Custom RBAC Roles

About the Author:

Srikanth Anne is an SQL Server DBA, Az-104 Certified professional. Srikanth focuses on helping customers to build high-available, cost-effective database solutions and migrate their large scale SQL Server databases to Azure. He is passionate about Databases and Analytics.