Skip to main content
Skip table of contents

Creating Custom Role in Microsoft Azure

This article explains how to create a custom role for Cloudaware in Microsoft Azure. You need be Owner or User Access Administrator in Microsoft Azure to create custom roles.

Create role for Storage Account keys access

The built-in role "Reader" may not have required permissions, such as default access to the Storage Account keys necessary for collecting data about VHDs.

1. In the Azure portal, select a subscription or a resource group where a custom role should to be assigned.

2. Open 'Access control (IAM)'. Click Add → Add custom role. Name the role Cloudaware Custom Policy.

3. Select one of the following options to proceed:

a) 'Start from scratch'.

Open the tab Permissions → Add permissions. Copy and paste Microsoft.Storage/storageAccounts/listKeys/action in the Search for a permission box to select Microsoft Storage. Check the box near the permission. Click Add.

Click Add.

The permission Microsoft.Storage/storageAccounts/listKeys/action grants 'read' access to Storage Account Keys. 

If you are planning to install Breeze Agent, the permission Microsoft.Compute/virtualMachines/extensions/write is required for this custom role as well.

b) 'Start from JSON'.

Use the JSON template below to create a file. Fill your subscription id in the {subscription_id} field.

CODE 
{
  "IsCustom": true,
  "Name": "CloudAware Collector Extended",
  "Description": "For collecting data about Blob Containers and VHDs we need to get access to the Storage Account keys as the default role Reader does not provide API access to these keys.",
  "Actions": [
    "Microsoft.Compute/virtualMachines/extensions/write",
    "Microsoft.Storage/storageAccounts/listKeys/action"
  ],
  "notActions": [],
  "assignableScopes": [
    "/subscriptions/{subscription_id}"
  ]
}

c) 'Clone a role'. Select one* of the existing roles.

*Commonly used Azure built-in roles:

Built-in Role

ID

Reader

acdd72a7-3385-48ef-bd42-f606fba81ae7

Contributor

b24988ac-6180-42a0-ab88-20f7382dd24c

Virtual Machine Contributor

d73bb868-a0df-4d4d-bd69-98a00b01fccb

Virtual Network Contributor

b34d265f-36f7-4a0d-a4d4-e158ca92e90f

Storage Account Contributor

86e8f5dc-a6e9-4c67-9d15-de283e8eac25

Web Plan Contributor

2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b

SQL server Contributor

6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437

SQL DB Contributor

9b7fa17d-e63e-47b0-bb0a-15c516ac86ec

Read more

Open the tab 'JSON' to check and modify the permissions (see 3 a) if necessary. The JSON body of the existing role should look like in the template below:

CODE 
{
  "name": "{your-existing-Role-definition-id}",
  "permissions": [
    {
      "actions": [
        "Microsoft.Compute/virtualMachines/extensions/write",
        "Microsoft.Storage/storageAccounts/listKeys/action"
      ],
      "notActions": []
    }
  ],
  "AssignableScopes": [
    "/subscriptions/{subscription-id}",
     "/subscriptions/{subscription-id}",
    "/subscriptions/{subscription-id}"
  ],
  "RoleName": "{your-Role-name}",
  "RoleType": "CustomRole",
  "type": "Microsoft.Authorization/RoleDefinitions"
}

Replace {your-existing-Role-definition-id} with your role definition id. In the section "AssignableScopes" add the string "/subscriptions/{subscription-id}" with your {subscription-id}.

4. If you add a native application, assign the created custom role to a user. If you add a Web app/API, assign the role to the application.

Creating a custom role in the Azure Portal is an asynchronous process, which means there may be a delay between the role's creation and its availability.

5. Open the tab 'Review + Create'. Check the role details and click Create.

Create role for tagging

Create a custom role to provide Cloudaware with permissions for tagging Azure resources:

CODE 
"properties": {
        "roleName": "{your-Role-name}",
        "description": "{your-Role-description}",
        "assignableScopes": [
            "/subscriptions/{subscription-id}",
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Resources/subscriptions/tagNames/read",
                    "Microsoft.Resources/subscriptions/tagNames/write",
                    "Microsoft.Resources/subscriptions/tagNames/delete",
                    "Microsoft.Resources/subscriptions/tagNames/tagValues/read",
                    "Microsoft.Resources/subscriptions/tagNames/tagValues/write",
                    "Microsoft.Resources/subscriptions/tagNames/tagValues/delete",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Resources/tags/write",
                    "Microsoft.Resources/tags/delete",
                    "Microsoft.Resources/tags/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }

Replace {your-Role-name}, {your-Role-description} and {subscription-id} with corresponding values from your Azure environment.

Update existing Cloudaware custom policy

Cloudaware may introduce new capabilities that require additional actions and permissions. If a custom role is already in place, it can be updated once across all subscriptions. Cloudaware Technical Account manager will provide the instructions.

Creating a custom role in the Azure Portal is an asynchronous process, which means there may be a delay between the role's creation and its availability.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close