Azurecloud~30 mins

Custom role definitions in Azure - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Custom role definitions

📖 Scenario: You are managing access control in an Azure subscription. You want to create a custom role that allows users to read virtual machines and start them, but not delete or modify other resources.

🎯 Goal: Create a custom role definition JSON that grants read and start permissions on virtual machines only.

📋 What You'll Learn

Create a JSON object named customRole with the required properties for a custom role definition.

Include Name, Description, Actions, NotActions, AssignableScopes properties.

Grant read and start permissions on virtual machines using the correct Azure resource provider actions.

Assign the role to the scope of the subscription /subscriptions/12345678-1234-1234-1234-123456789abc.

💡 Why This Matters

🌍 Real World

Custom roles allow precise control over who can do what in your Azure environment, improving security and compliance.

💼 Career

Cloud administrators and security engineers often create and manage custom roles to enforce least privilege access.

Progress0 / 4 steps

Create the basic custom role structure

Create a JSON object called customRole with the properties Name set to "VM Reader and Starter" and Description set to "Can read and start virtual machines".

Azure

{
  "Name": "VM Reader and Starter",
  "Description": "Can read and start virtual machines"
  // Your code here
}

Need a hint?

Start by defining the Name and Description properties inside the JSON object.

Add the Actions and NotActions properties

Add the Actions property as a list containing "Microsoft.Compute/virtualMachines/read" and "Microsoft.Compute/virtualMachines/start/action". Add an empty list for NotActions.

Azure

{
  "Name": "VM Reader and Starter",
  "Description": "Can read and start virtual machines",
  "Actions": [
    "Microsoft.Compute/virtualMachines/read",
    "Microsoft.Compute/virtualMachines/start/action"
  ],
  "NotActions": [
  ]
  // Your code here
}

Need a hint?

Use the exact action strings for reading and starting virtual machines inside the Actions list.

Add the AssignableScopes property

Add the AssignableScopes property as a list containing the subscription scope string "/subscriptions/12345678-1234-1234-1234-123456789abc".

Azure

{
  "Name": "VM Reader and Starter",
  "Description": "Can read and start virtual machines",
  "Actions": [
    "Microsoft.Compute/virtualMachines/read",
    "Microsoft.Compute/virtualMachines/start/action"
  ],
  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/12345678-1234-1234-1234-123456789abc"
  ]
  // Your code here
}

Need a hint?

Use the exact subscription ID string inside the AssignableScopes list.

Add the final properties for a valid custom role

Add the Type property set to "CustomRole" and the Id property set to null to complete the custom role definition JSON.

Azure

{
  "Name": "VM Reader and Starter",
  "Description": "Can read and start virtual machines",
  "Actions": [
    "Microsoft.Compute/virtualMachines/read",
    "Microsoft.Compute/virtualMachines/start/action"
  ],
  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/12345678-1234-1234-1234-123456789abc"
  ],
  "Type": "CustomRole",
  "Id": null
  // Your code here
}

Need a hint?

These properties are required for Azure to recognize the JSON as a custom role definition.