Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
If the built-in roles of Azure Arc-enabled SCVMM don't meet the specific needs of your organization, create custom roles to provide permissions at a granular level to your end users.
Like built-in roles, assign custom roles to users at subscription and resource group scopes to control access. Store custom roles in a Microsoft Entra directory and share them across subscriptions. Each directory can have up to 5,000 custom roles. Create custom roles by using the Azure portal, Azure PowerShell, Azure CLI, or the REST API. This article describes how to create custom roles by using the Azure portal for Azure Arc-enabled SCVMM.
To learn more about Azure custom roles, see the following articles:
- Understand Azure role definitions
- Create or update Azure custom roles using the Azure portal
- Steps to assign an Azure role
Prerequisites
Ensure you have permissions to create custom roles, such as Owner or User Access Administrator.
Create custom role
To create a custom role with Azure Arc-enabled SCVMM, follow these steps:
- Sign in to the Azure portal, open the subscription where you want to create the custom role, and then open Access control (IAM).
- Select + Add and then select Add custom role.
- On the Basics tab, enter the custom role name, description, and choose the baseline permissions. Select Next.
- On the Permissions tab, select + Add permissions to add actions to your baseline permissions or Exclude permissions to remove actions from your baseline permissions. If you're creating a new role from scratch, select Add permissions.
- On the Add permissions or Exclude permissions window, search scvmm and select Microsoft.SCVMM.
- On the Microsoft.SCVMM permissions page, select the desired permissions to add or exclude and then select Add.
- Add permissions from other resource providers to this custom role, if needed, and select Next.
Note
Ensure Microsoft.KubernetesConfiguration/extensions/read permission is added to the custom roles. This permission is required while creating custom roles from the scratch and also while creating from built-in roles.
- On the Assignable scopes tab, you can optionally choose additional subscriptions and resource groups where this custom role can be available for assignment. Then select Next.
- On the JSON tab, you can optionally download the JSON format of the custom role to create more custom roles from a baseline permission set. Once done, select Next.
- On the Review + create tab, select Create to create your custom role for Azure Arc-enabled SCVMM.
- After creating the custom role, you can view, update, and delete custom roles by following these steps:
To manage custom roles by using Azure PowerShell, Azure CLI, REST APIs, ARM, or Bicep templates, see the detailed documentation on Azure Role based Access Control.