The Issue
A customer recently had the need to only allow specific Server Owners to Start\Restart\Deallocate specific Virtual Machines.
The Investigation
I actually found this article that explains how to create this for an assignment to an entire subscription.
You use the mentioned JSON File,
{
"Name": "Restart Virtual Machines",
"IsCustom": true,
"Description": "Restart Virtual Machines.",
"Actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"NotActions": [
],
"DataActions": [
],
"NotDataActions": [
],
"AssignableScopes": [
"/subscriptions/d5b9d4b7-6fc1-46c5-bafe-38effaed19b2"
]
}
and run the below two commands (I used Terminal)
az role definition create --role-definition newRole.json
az role assignment create --role "Restart Virtual Machines" --assignee user@contososerverboss.com
But I needed to go more granular.
If you configure the JSON File and look at “AssignableScopes” you can use an example like below to specify Resource Groups.

And this is great because now you can assign on the RSG level and see how to assign custom roles like below.

The Solution
Diving even deeper into the Azure RBAC Rabbit hole I created a Server and tried to assign to that server only. And it worked.


As always, I hope this has been informative and feel free to correct me in any of the steps.
You must log in to post a comment.