Custom Roles
Start course

Role-Based Access Control, or RBAC, is how you can manage access to resources in Azure. RBAC works by creating role assignments that can apply to different levels of your tenant. A role assignment is broken down into three elements: the security principal, the role definition, and the scope you apply it to.

Custom roles in Azure's role-based access control provide the flexibility for any organization to create roles that are not covered by the built-in roles.

We will also look at common scenarios when troubleshooting role-based access control in Azure.

Learning Objectives

  • Identify the different elements that create the role assignment
  • Configure access to resources in Azure
  • Implement a custom role
  • Troubleshoot common RBAC problems

Intended Audience

  • People who want to become Azure administrators


  • General knowledge of the Azure portal

Related Training Content

To discover more courses covering Microsoft Azure topics, visit our dedicated Azure Training Library.


Create a custom role for RBAC. Azure has many built-in roles that cover most of the needs for any team, but sometimes those built-in roles don't cut it. You can create your own custom role to meet those needs. Custom roles can be created using Azure PowerShell, Azure CLI or the REST API. For this demonstration we will use the Azure Cloud Shell to create a custom role using Azure CLI. Here we are back in the Azure portal, where we will create a custom role. To start we need to go to the Azure Cloud Shell. We can open the Cloud Shell by selecting the Cloud Shell icon at the top of the page, or we can open a new tab and go to We will be creating a custom role called Virtual Machine Operator. Let's open Visual Studio Code and look at our custom role. Our template is broken down into several sections. We have the name of the custom role, then we have the IsCustom, which indicates that this is a custom role. We have the description, which provides a short description of the role so others can understand what this custom role does. Action, which specifies what you're allowed to do. NotActions, which is to deny actions. And AssignableScope, this is where we will list our scope for our custom role. 

Let's apply the custom role to the subscription. Type in AZ role definition create dash dash role definition and the name of the file, which is vmoperator.json, and hit Enter. After we have applied the command we can go back to the Azure portal, where we will select our resource group and go to Access control, Roles and scroll to the bottom to find our Virtual Machine Operator custom role. You will notice that the icon is different to easily indicate that this is a custom role. If during your testing of the new custom role, you notice that the role cannot do a certain action, you can return to your role definition and add the missing action. In this instance we will allow the role the ability to schedule shutdowns. We will add the Microsoft.DevTestLab/schedules. We will then save the file and then we'll type AZ role definition update dash dash role-definition and the name of the file. If the custom role is no longer needed you can delete it by typing AZ role definition delete name and provide the name of the custom role. In summary, we looked at a custom role definition and reviewed all the sections. We then created a new custom role, updated the role and then deleted the roll as we no longer needed it.

About the Author

With over 15 years of experience in the IT industry, Eric Leonard is a Microsoft Azure MVP and a Cloud Solution Architect. Eric’s experience working with Microsoft technologies, with a strong emphasis on cloud and automation solutions, enables his clients to succeed in today’s technological environment. Eric has worked for clients in a variety of different industries including large and small enterprises, the public sector, professional services, education, and communications.

When he is not working, Eric believes in sharing his knowledge and giving back to the IT community. He is the co-organizer of the Ottawa IT community meetup, which has over 1,000 members, and he enjoys presenting and mentoring in the community.