Header Image - Azure RBAC Roles with specific permissions

Find Azure RBAC Roles with specific permissions

In order to apply the Least Privilege Principle in Azure you sometimes need to find the best fitting Azure RBAC role for the job. The default roles Owner, Contributor, Reader are just too much in most cases.

You want to give an Automation Account the permission to Start, Stop and Restart Virtual Machines in your environment.

The permissions needed to perform the actions are:

  • Microsoft.Compute/virtualMachines/start/action
  • Microsoft.Compute/virtualMachines/stop/action
  • Microsoft.Compute/virtualMachines/restart/action

See: Azure Built-in Roles for Virtual Machines

But how do you find the Roles with those permissions?

  1. In the Portal navigate to the Resource (or one of the levels above)
  2. Go to “Access Control (IAM)”, choose “Add” and then “Add role assignment”

    Azure Access Control - Add Role Assignment

  3. Type in the specific action in the search field.
    In our case we’re searching for ‘Microsoft.Compute/virtualMachines/start/action’
  4. The Azure Portal will show you all Role Definitions that have this permission included.

    Azure Access Control - Search Role by specific permission
  5. Be aware that Microsoft has started to split the Role Definitions by “Job function roles” and “Privileged administrator roles” (the tabs above the search field).

    You should aim for using a “Job function role” to actually follow the Least Privileges Principle.

  6. Have a look at the Details view to check for the Role with the least permissions needed to perform the job.

    Azure Access Control - Show Role Details

In our case we have two viable options:

  1. Virtual Machine Contributor – but with quite broad permissions.
  2. One Custom Role we called “Virtual Machine Operator” with necessary permissions for starting/stopping VMs and Scale Sets.

Hope that helps.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.