Azure – Access Control (IAM): Invisible custom roles

Somogyi János 6 Reputation points
2021-04-14T14:43:33.273+00:00

In Azure, I was playing with custom roles, I created some then I deleted them. I saw them in the listing at

Subscriptions>#######>Access Control (IAM)>Roles

where I used the type filter to make it show only the custom roles. They were there, just like how I created them. I deleted them eventually I didn't need them anymore.

Now I wanted to make some again and now suddenly when I create one, everything seems fine, Azure tells me it was created but then I don't see it. If I want to create it once again it tells me a custom role with that name already exists.

Where are they, why can't I see them?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
711 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Somogyi János 6 Reputation points
    2021-04-15T05:35:56.757+00:00

    So it turned out that there's a specific kind of custom roles I don't see after having created them: Actually, I wanted to define a custom role with an assignable scope limited to only one virtual machine instance in a specific resource group. I have still no idea while I can't see these (and only these) but there is a workaround which may be the preferred way by Azure, no idea.
    It's:

    1. Go to the virtual machine you want to grant access to
    2. There is an Access Control (IAM) panel, too
    3. Add an Owner role to somebody you want access to that particular virtual machine only

    The person will be able to start/stop this specific virtual machine. Done.

    1 person found this answer helpful.
    0 comments
  2. Siva-kumar-selvaraj 15,596 Reputation points
    2021-04-19T13:25:13.83+00:00

    Hello @Somogyi János ,

    Thanks for reaching out and apologize for delayed response.

    There could be changes that if the selected subscription isn't in the AssignableScopes of the role, the custom role won't be listed. If selected subscription is in the AssignableScopes then it must list custom role-definition which can be viewed from Portal as well using Az PowerShell module, cmdlet Get-AzRoleDefinition -Custom.

    In addition to that, when you delete and recreate Role definition with same name there should not be any issues as long as custom Role-Definition deleted successfully.

    You could use VM Contributor role by which uses can start/stop specific virtual machine

    Hope this helps.

    More information, refer:
    https://video2.skills-academy.com/en-us/azure/role-based-access-control/custom-roles-powershell#list-custom-roles
    https://video2.skills-academy.com/en-us/azure/role-based-access-control/role-definitions-list?tabs=roles

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments