Import-Module AzureRm.Resources $role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new() $role.Name = 'Veeam Restore Operator' $role.Description = 'Permissions for Veeam Restore to Microsoft Azure' $role.IsCustom = $true $permissions = @( 'Microsoft.Storage/storageAccounts/listkeys/action', 'Microsoft.Storage/storageAccounts/read', 'Microsoft.Network/locations/checkDnsNameAvailability/read', 'Microsoft.Network/virtualNetworks/read', 'Microsoft.Network/virtualNetworks/subnets/join/action', 'Microsoft.Network/publicIPAddresses/read', 'Microsoft.Network/publicIPAddresses/write', 'Microsoft.Network/publicIPAddresses/delete', 'Microsoft.Network/publicIPAddresses/join/action', 'Microsoft.Network/networkInterfaces/read', 'Microsoft.Network/networkInterfaces/write', 'Microsoft.Network/networkInterfaces/delete', 'Microsoft.Network/networkInterfaces/join/action', 'Microsoft.Network/networkSecurityGroups/read', 'Microsoft.Network/networkSecurityGroups/write', 'Microsoft.Network/networkSecurityGroups/delete', 'Microsoft.Network/networkSecurityGroups/join/action', 'Microsoft.Compute/locations/vmSizes/read', 'Microsoft.Compute/locations/usages/read', 'Microsoft.Compute/virtualMachines/read', 'Microsoft.Compute/virtualMachines/write', 'Microsoft.Compute/virtualMachines/delete', 'Microsoft.Compute/virtualMachines/start/action', 'Microsoft.Compute/virtualMachines/deallocate/action', 'Microsoft.Compute/virtualMachines/instanceView/read', 'Microsoft.Compute/virtualMachines/extensions/read', 'Microsoft.Compute/virtualMachines/extensions/write', "Microsoft.Compute/virtualMachines/convertToManagedDisks/action", 'Microsoft.Compute/disks/read', 'Microsoft.Compute/disks/write', "Microsoft.Compute/disks/beginGetAccess/action", "Microsoft.Compute/disks/delete", "Microsoft.Compute/disks/endGetAccess/action" 'Microsoft.Resources/checkResourceName/action', 'Microsoft.Resources/subscriptions/resourceGroups/read', 'Microsoft.Resources/subscriptions/resourceGroups/write', 'Microsoft.Resources/subscriptions/locations/read') $role.Actions = $permissions $role.NotActions = (Get-AzureRmRoleDefinition -Name 'Virtual Machine Contributor').NotActions $subs = '/subscriptions/00000000-0000-0000-0000-000000000000' #use your subscription ID $role.AssignableScopes = $subs New-AzureRmRoleDefinition -Role $role |