Find Azure RBAC Roles with specific permissions
In order to apply the Least Privilege Principle in Azure you sometimes need to find the best fitting Azure RBAC role for the job. The default roles Owner, Contributor, Reader are just too much in most cases.
Example:
You want to give an Automation Account the permission to Start, Stop and Restart Virtual Machines in your environment.
The permissions needed to perform the actions are:
- Microsoft.Compute/virtualMachines/start/action
- Microsoft.Compute/virtualMachines/stop/action
- Microsoft.Compute/virtualMachines/restart/action
See: Azure Built-in Roles for Virtual Machines
But how do you find the Roles with those permissions?
- In the Portal navigate to the Resource (or one of the levels above)
- Go to “Access Control (IAM)”, choose “Add” and then “Add role assignment”
- Type in the specific action in the search field.
In our case we’re searching for ‘Microsoft.Compute/virtualMachines/start/action’ - The Azure Portal will show you all Role Definitions that have this permission included.
- Be aware that Microsoft has started to split the Role Definitions by “Job function roles” and “Privileged administrator roles” (the tabs above the search field).
You should aim for using a “Job function role” to actually follow the Least Privileges Principle.
- Have a look at the Details view to check for the Role with the least permissions needed to perform the job.
In our case we have two viable options:
- Virtual Machine Contributor – but with quite broad permissions.
- One Custom Role we called “Virtual Machine Operator” with necessary permissions for starting/stopping VMs and Scale Sets.
Hope that helps.