Creating Custom Role for Azure Account
Granular permissions differ depending on whether you create an Azure Stack Hub account, or Azure Compute account using a new AD application, or Azure Compute account using an existing account.
Permissions for Azure Compute Account (Existing Account) and Azure Stack Hub Account
If you plan to add an Azure Stack Hub account or an Azure Compute account using an existing Azure AD user account (select the Use the existing account option at the Subscription step of the wizard), and you do not want to use built-in Azure roles, you can create a custom role with granular permissions:
- Run one of the following scripts in Azure PowerShell:
Script for Az PowerShell
|
Note |
Mind the following:
|
Script for Legacy AzureRM PowerShell
|
Note |
Mind the following:
|
- Assign the created role to the required Azure user. For details, see the Manage access to Azure resources using RBAC and the Azure portal section in the RBAC for Azure resources documentation.
- In the Subscription step of the Microsoft Azure Compute Account wizard, select Use existing account and select the Azure user with the assigned role. For details, see Select Access Type.
Permissions for Azure Compute Account (New Account)
If you plan to add an Azure Compute account using an Azure Active Directory (AD) application (select the Create a new account option at the Subscription step of the wizard), and you do not want to use built-in Azure roles, you can create a custom role with granular permissions:
- Run one of the following scripts in Azure PowerShell:
Script for Az PowerShell
|
Note |
Mind the following:
|
Script for Legacy AzureRM PowerShell
|
Note |
Mind the following:
|
- Assign the created role to the required Azure user. For details, see the Manage access to Azure resources using RBAC and the Azure portal section in the RBAC for Azure resources documentation.
- In the Subscription step of the Microsoft Azure Compute Account wizard, select Create a new account and click the Configure account link. In the window, select the Azure user with the assigned role. For details, see Select Access Type.