Updating a Custom RBAC Role in Azure

@20aman    Aug 29, 2018

In one of the earlier blog, we saw how to add a custom role in Azure to manage Role Based Access Control (RBAC) at more granular level. You can review the earlier post here: Demystifying Azure Security - Custom RBAC Roles.

In this post, we will see how to make quick changes to this custom role leveraging Azure PowerShell script.

Making the updates

Just like any other Azure PowerShell script, you will connect to Azure and select the right subscription by using the following cmdlets.

Add-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName $SubscriptionName

Then you will fetch the current custom role by using the below cmdlet.

$role = Get-AzureRmRoleDefinition $roleName

Optionally, if you want to inspect the current role, then you can use below cmdlet to generate JSON file for the current custom role.

Get-AzureRMRoleDefinition -Name $roleName | ConvertTo-Json

Then you can make updates to the "$role" object. One such sample could be as outlined below which adds the action to allow stopping of the VMs and then updates the description of the custom role.

$role.Actions.Add("Microsoft.Compute/virtualMachines/deallocate/action")
$role.Description = "Can monitor, Start, Stop and restart virtual machines."

Finally, the role is updated back to the Azure portal by using the below cmdlet.

Set-AzureRmRoleDefinition -Role $role

Location of the Complete Script

You can find this script in GitHub at this location: Update-CustomRoleSample.ps1





Comments powered by Disqus