Task: Implement a Custom Role

Video: Custom Roles

Estimated time: 30 minutes

Goal

The goal of this task is to create a custom RBAC role and assign it to a test user on a resource group. The custom role will be a variation of the Contributor role that does not allow the deletion of any resources.

Pre-requisites

1. Non-production Azure subscription
2. An Azure AD cloud user named tasks for testing access

Requirements

1. Requirement 1: Define a custom role
2. Requirement 2: Assign the custom role
3. Requirement 3: Test the custom role

Pre-requisite setup

You can create a new Azure AD user from the bash cloud shell by running the following command (substitute your values for the domain name and password):

az ad user create --display-name tasks --password <your password> --user-principal-name tasks@<your domain> --force-change-password-next-login false

Example

az ad user create --display-name tasks --password B@dPa55word! --user-principal-name tasks@inedemos.onmicrosoft.com --force-change-password-next-login false

Requirement 1: Define a custom role

To complete this requirement, you must create a custom role named Contributor-Limited with the same permissions as the Contributor role, except without the ability to delete any resources. Take the following steps in a bash cloud shell to complete the requirement:

• Open a bash cloud shell.
• Save a copy of the JSON definition for the Contributor role in a file named customRole.json. Hint - use the az role definition list CLI command.
• Open the customRole.json file for editing in Visual Studio Code from the bash cloud shell:

code ./customRole.json

• Make the following changes to the file:
• Set the assignable scopes to your subscription. The format is /subscriptions/<your subscription id>. Hint: Use az account show to view your subscription id.*
• If present, remove the outer brackets ([ ]).
• Remove the id, roleName, roleType, and type attributes. Be sure to remove any commas that are no longer appropriate.
• Change the name to Contributor-Limited.
• Change the description to something meaningful.
• Add a line to the notActions settings that disallows any deletions.
• Save the file using Ctrl-S or Command-S. If this doesn't work, use the elipses in the top right corner to get the Visual Studio Code menu.
• Close Visual Studio code using Ctrl-Q or Command-Q. If this doesn't work, use the elipses in the top right corner to get the Visual Studio Code menu.
• Use the Azure CLI to create a new role definition based on the customRole.json file.

Requirement 2: Assign the custom role

To complete this requirement, you must provision a new resource group named task-role-rg. Assign the Contributor-Limited role to the tasks user on the task-role-rg resource group.

Requirement 3: Test the custom role

To complete this task you must log in to the Azure portal as the tasks user and verify the rights granted the user on the task-role-rg resource group. To complete this requirement:

• Open an incognito/private browser window and log into the portal (https://portal.azure.com) as the tasks cloud user.
• Add the following resources to the task-role-rg resource group:
• A route table named demo-rt.
• Attempt the following deletions from the resources:
• A route table named demo-rt.

Cleanup

When you have completed this task, delete the task-role-rg resource group and the Contributor-Limited role.