Updating a Custom RBAC Role in Azure@20aman Aug 29, 2018
In one of the earlier blog, we saw how to add a custom role in Azure to manage Role Based Access Control (RBAC) at more granular level. You can review the earlier post here: Demystifying Azure Security - Custom RBAC Roles.
In this post, we will see how to make quick changes to this custom role leveraging Azure PowerShell script.
Making the updates
Just like any other Azure PowerShell script, you will connect to Azure and select the right subscription by using the following cmdlets.
Add-AzureRmAccount Select-AzureRmSubscription -SubscriptionName $SubscriptionName
Then you will fetch the current custom role by using the below cmdlet.
$role = Get-AzureRmRoleDefinition $roleName
Optionally, if you want to inspect the current role, then you can use below cmdlet to generate JSON file for the current custom role.
Get-AzureRMRoleDefinition -Name $roleName | ConvertTo-Json
Then you can make updates to the "$role" object. One such sample could be as outlined below which adds the action to allow stopping of the VMs and then updates the description of the custom role.
$role.Actions.Add("Microsoft.Compute/virtualMachines/deallocate/action") $role.Description = "Can monitor, Start, Stop and restart virtual machines."
Finally, the role is updated back to the Azure portal by using the below cmdlet.
Set-AzureRmRoleDefinition -Role $role
Location of the Complete Script
You can find this script in GitHub at this location: Update-CustomRoleSample.ps1