Custom RBAC roles for management groups

Hi Folks,

when customer normally ask me about custom RBAC roles and should they use that feature?

My answer is:

You can use custom RBAC roles if the predefined Roles aren’t granular enough. In the past it wasn’t possible to bind custom RBAC roles to management groups.

Now, it’s possible to bind custom RBAC roles to management groups. The creating process is the same, the only difference, you add a management group scope to the custom RBAC role. I’ve copied a sample from the Microsoft documentation:


{
“Name”: “MG Test Custom Role”,
“Id”: “id”,
“IsCustom”: true,
“Description”: “This role provides members understand custom roles.”,
“Actions”: [
“Microsoft.Management/managementgroups/delete”,
“Microsoft.Management/managementgroups/read”,
“Microsoft.Management/managementgroup/write”,
“Microsoft.Management/managementgroup/subscriptions/delete”,
“Microsoft.Management/managementgroup/subscriptions/write”,
“Microsoft.resources/subscriptions/read”,
“Microsoft.Authorization/policyAssignments/“, “Microsoft.Authorization/policyDefinitions/“,
“Microsoft.Authorization/policySetDefinitions/“, “Microsoft.PolicyInsights/“,
“Microsoft.Authorization/roleAssignments/“, “Microsoft.Authorization/roledefinitions/
],
“NotActions”: [],
“DataActions”: [],
“NotDataActions”: [],
“AssignableScopes”: [
“/providers/microsoft.management/managementGroups/ContosoCorporate”
]
}

Not the biggest, but a really necessary feature.