Azure – Assign A Custom Role to Allow Specific Users to Stop/Start/Restart a specific VM

The Issue

A customer recently had the need to only allow specific Server Owners to Start\Restart\Deallocate specific Virtual Machines.

The Investigation

I actually found this article that explains how to create this for an assignment to an entire subscription.

https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-enabling-custom-role-based-access-control-in-azure/ba-p/363668

You use the mentioned JSON File,

{
        "Name": "Restart Virtual Machines",
        "IsCustom": true,
        "Description": "Restart Virtual Machines.",
        "Actions": [
           "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/start/action",
        "Microsoft.Compute/virtualMachines/restart/action",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
        ],
        "NotActions": [
        ],
        "DataActions": [
        ],
        "NotDataActions": [
        ],
        "AssignableScopes": [
               "/subscriptions/d5b9d4b7-6fc1-46c5-bafe-38effaed19b2"
        ]
}

and run the below two commands (I used Terminal)

az role definition create --role-definition newRole.json

 az role assignment create --role "Restart Virtual Machines" --assignee user@contososerverboss.com

But I needed to go more granular.

If you configure the JSON File and look at “AssignableScopes” you can use an example like below to specify Resource Groups.

And this is great because now you can assign on the RSG level and see how to assign custom roles like below.

The Solution

Diving even deeper into the Azure RBAC Rabbit hole I created a Server and tried to assign to that server only. And it worked.

As always, I hope this has been informative and feel free to correct me in any of the steps.