Azure Custom Roles supports AGDLP Principle


Last week Microsoft introduced the Azure Custom Roles functionality in their Role Based Access model. We now have the possibility to create custom Roles for granting access to resources on Microsoft Azure. Looking to RBAC this is a very nice addition and really powerful. A lot of companies have invested in AGDLP in their on premise Active Directory. Today I’ve tested if this investment can be re-used when granting permissions based on these groups to custom roles in Azure.

So I’ve created 2 Active Directory Groups in my on-premise Active Directory. One Global Group which has a ‘admin’ user account as a member and one Local Domain group which has the global group as a member. It would be nice if we can grant access on Azure Based on a Custom Role. Let’s start with creating a custom role and then assign this role to the group:

  1. Export a built-in role to a .json file by executing this command:
    #Export Role Defenition to JSON
    Get-AzureRmRoleDefinition -Name "Virtual Machine Contributor" | ConvertTo-JSon | Out-File C:\tmp\AzureRoles\VMCont.json
  2. Change the JSON file based on your needs for the custom role. I’ve created a role which can start/stop/restart Virtual Machines and can read all other information from the VMs:
        "Name":  "INTRA Custom VM Operator Role",
        "Description":  "Lets you start/stop virtual machines",
        "Actions":  [
        "NotActions":  [
        "AssignableScopes":  [

    In the above JSON file you have to change <<subscriptionID>> with your own subscriptionID

  3. Next is to create a custom role based on this JSON file
    #Create Azure RM Role Definition
    New-AzureRmRoleDefinition -InputFile C:\tmp\AzureRoles\Intra_VM_Operator.json
  4. Now we have the custom role we can assign this role to the Local Domain group which is synced to Azure Active Directory. The following commands will do this:
    #Get Group and Role Definition
    $group    = Get-AzureRmADGroup | Where-Object {$_.DisplayName -eq "L-Azure-VMOperator"}
    $role_def = Get-AzureRmRoleDefinition -Name "INTRA Custom VM Operator Role"
    New-AzureRmRoleAssignment -ObjectId $group.Id -RoleDefinitionName $role_def.Name -Scope '/subscriptions/<<subscriptionID>>/ResourceGroups/AVRDS01'

    In this example the Scope is a ResourceGroup inside my Azure Subscription, this could be change based on your own requirements. You also need to change <<subscriptionID>> with your own subscriptionID

  5. This is all, now it’s time to for the test J

First go to and login with the user account which is added to your on-premise Global Active Directory Group:

When the logon process is finished I can see all the resources of that Resource Group:

And based on the rights from the custom role I’m able to start the Virtual Machines:

Conclusion: It’s possible to re-use your existing AGDLP investment for granting permissions on Microsoft Azure using the Built-in or custom Roles.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.