Task: Implement a Custom ARM Role

Video: RBAC in Action

Estimated time: 15 minutes

Goal

Create a custom ARM role with the same rights as contributor without the ability to delete resources.

Pre-requisites

1. Azure subscription
2. Azure AD tenant

3. A test user account in the Azure AD tenant. The user account cannot be a global administrator or have rights at the subscription level.

   Completing previous tasks will meet pre-requisites.

Requirements

1. Create a custom role that has the same permissions as the Contributor role, without the permission to delete resources
2. Provision a resource in a new resource group
3. Assign the new role to the test user on the new resource group
4. Test the role

Requirement 1: Create custom role

Create a custom role that is based on the Contributor role, but without the ability to delete resources. To complete this:

• Use the Contribute role as the basis for a new role named DemoRole.
• Exclude the ability to delete any resource from the role.

Note: Do not use a deny role to prevent deletes. A user who has this role may be granted the permission to delete through other roles.

Requirement 2: Provision a resource

Provision a resource that will be used to test the new role:

• Provision a new Route table named demoResource in a new resource group named task-rbac.

Requirement 3: Assign the DemoRole role

Assign the DemoRole role to the test user on the task-rbac resource group.

Requirement 4: Test the role

For this requirement you will log in as the test user and validate the user's rights within the task-rbac resource group. To complete this requirement:

• Open a new browser (or private/incognito window) and navigate to https://portal.azure.com.
• Log in as your test user.
• Navigate to the task-rbac resource group.
• Attempt to delete the demoResource route table. This should fail.
• Create a new route table named demoResource2 in the task-rbac resource group. This should succeed.
• Attempt to delete the demoResource2 route table. This should fail.

Cleanup

• Delete the task-rbac resource group.
• Delete the DemoRole role.

Solution

Having trouble completing this task? View the demonstration video to see how to do it.