-
Notifications
You must be signed in to change notification settings - Fork 61
/
Copy pathCustom_VM_Reader_RBAC_Role.ps1
40 lines (31 loc) · 1.39 KB
/
Custom_VM_Reader_RBAC_Role.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Set-Location C:\Temp
Clear-Host
#We need the necessary cmdlets
Install-Module -Name Az -Force -AllowClobber -Verbose
#Log into Azure
Connect-AzAccount
#Select the correct subscription
Get-AzContext
Get-AzSubscription
Get-AzSubscription -SubscriptionName "MSDN Platforms" | Select-AzSubscription
#First look
Get-AzProviderOperation "Microsoft.Support/*" | FT Operation, Description -AutoSize
#Checking the roles for the intended user
Get-AzRoleAssignment -Scope "/subscriptions/cff58289-560f-42b2-9bb6-b532d52b928c" -SignInName [email protected]
#Powershell create custom role
$role = Get-AzRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "VM Reader"
$role.Description = "Can see VMs"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Storage/*/read")
$role.Actions.Add("Microsoft.Network/*/read")
$role.Actions.Add("Microsoft.Compute/*/read")
$role.AssignableScopes.clear()
$role.AssignableScopes.Add("/subscriptions/cff58289-560f-42b2-9bb6-b532d52b928c")
#Create the new role
New-AzRoleDefinition -Role $role
#Assign the new role
New-AzRoleAssignment -SignInName [email protected] -RoleDefinitionName "VM Reader" -Scope "/subscriptions/cff58289-560f-42b2-9bb6-b532d52b928c"
#Checking the roles for the intended user
Get-AzRoleAssignment -Scope "/subscriptions/cff58289-560f-42b2-9bb6-b532d52b928c" -SignInName [email protected]