Creating Custom Role for Azure and Azure Stack Hub Accounts
Granular permissions differ depending on whether you create an Azure Stack Hub account, or Azure Compute account using a new AD application, or Azure Compute account using an existing AD application.
Permissions for Azure Compute Account (Existing Application)
If you plan to add an Azure Compute account using an existing Azure AD application (select the Use the existing account option at the Access Type step of the wizard), and you do not want to use built-in Azure roles, you can create a custom role with granular permissions:
- Run one of the following scripts in Azure PowerShell:
Script for Az PowerShell
|
Note |
Consider the following:
|
Script for Legacy AzureRM PowerShell
|
Note |
Consider the following:
|
- Assign the created role to the required application. For details, see the Manage access to Azure resources using RBAC and the Azure portal section in the RBAC for Azure resources documentation.
- At the Access Type step of the Microsoft Azure Compute Account wizard, select Use existing account.
- At the Subscription step, specify Azure AD application with the assigned role.
Permissions for Azure Compute Account (New Application)
If you plan to add an Azure Compute account using a new Azure Active Directory (AD) application (select the Create a new account option at the Subscription step of the wizard), and you do not want to use built-in Azure roles, you can create a custom role with granular permissions:
- Run one of the following scripts in Azure PowerShell:
Script for Az PowerShell
|
Note |
Consider the following:
|
Script for Legacy AzureRM PowerShell
|
Note |
Consider the following:
|
- Assign the created role to the required Azure user. For details, see the Manage access to Azure resources using RBAC and the Azure portal section in the RBAC for Azure resources documentation.
- At the Access Type step of the Microsoft Azure Compute Account wizard, select Create a new account.
- At the Subscription step, configure the account as described in Creating New Azure AD Application. On the Microsoft Azure device authentication page, specify an Azure AD user account with the assigned role.
Permissions for Azure Stack Hub Compute Account (Existing Application)
If you plan to add an Azure Stack Hub account using an existing AD application (select the Use the existing account option at the Subscription step of the wizard), and you do not want to use built-in Azure roles, you can create a custom role with granular permissions:
- In the Azure Stack Hub management portal, go to subscription properties and open Access control (IAM).
- Create a custom role from a JSON file as described in Microsoft Docs. Use the following JSON. In the assignableScopes field, specify your subscription ID.
JSON — Permissions for Existing Application
|
- Assign the created role to the required Azure AD application. For details, see the Manage access to Azure resources using RBAC and the Azure portal section in the RBAC for Azure resources documentation.
- At the Account Type step of the Microsoft Azure Compute Account wizard, select Use existing account.
- At the Subscription step of the wizard, specify the Azure AD application with the assigned role.
Permissions for Azure Stack Hub Compute Account (New Application)
If you plan to add an Azure Stack Hub account using a new Azure Active Directory (AD) application (select the Create a new account option at the Subscription step of the wizard), and you do not want to use built-in Azure roles, you can create a custom role with granular permissions:
- In the Azure Stack Hub management portal, go to subscription properties and open Access control (IAM).
- Create a custom role from a JSON file as described in Microsoft Docs. Use the following JSON. In the assignableScopes field, specify your subscription ID.
JSON — Permissions for New Application
|
- Assign the created role to the required Azure AD user. For details, see the Manage access to Azure resources using RBAC and the Azure portal section in the RBAC for Azure resources documentation.
- At the Account Type step of the Microsoft Azure Compute Account wizard, select Create a new account.
- At the Subscription step, configure the account as described in Creating New Azure AD Application. On the Microsoft Azure device authentication page, specify an Azure AD user account with the assigned role.