Voiced by Amazon Polly |
Introduction
In modern cloud computing, managing access and permissions to resources is crucial to maintaining security and governance in Azure. To programmatically manage RBAC roles and permissions, developers can leverage the power of Azure’s REST API. Before using APIs to create and assign the custom roles to users or principals present in Azure subscription, do the below 2 steps for granting the permissions to the App Registration.
- Whether App Registration has been assigned with a role having necessary authorization permissions to that same subscription or not, as this will be using the Secret Value (part of the four required IDs) in the REST API that generates from the App Registration itself. (Steps detailed below)
- Check whetherAuthorization service resource provider is registered or not. If not registered, we need to register it on the Subscription Page, as shown below.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Assign the Custom RBAC Role to the Principal ID of App Registration
Follow the below steps to assign the custom RBAC role to App Registration in the portal.
- Go To Subscription Resource -> Click on IAM in the left panel -> Click on Add custom role as below.
2. After clicking Add custom role, it will be redirected to a new page for creating a custom role. Give a sample role name in Basics Tab -> go to the Permissions Tab -> click on Add Permissions -> search for Authorization permission -> Select all below permissions as shown in the below image.
1 2 3 4 |
Microsoft.Authorization/roleDefinitions/read Microsoft.Authorization/roleDefinitions/write Microsoft.Authorization/roleAssignments/read Microsoft.Authorization/roleAssignments/write |
3. Click on Review+Create. So custom role will get created in the category of custom role.
4. Now, Assign the newly created custom RBAC role to the principal id of App Registration.
Click on Add role assignment.
5. Search for the custom role created in step 3 -> click Next.
6. Go to the Members Tab -> Click on Select members -> Now search for the App Registration name in the search bar for which we wanted to assign the custom role. -> click on Select -> Click on Review + assign.
Steps to Check the Service Based Resource Providers Registered
Go to Subscriptions -> Click on Resource Providers in the Left Panel -> Check Microsoft.Authorization is Registered or not.
Generate Bearer Token Using Tenant ID, Client ID & Secret Value
- https://login.microsoftonline.com/<tenant id>/oauth2/token
- Paste the above URL with the Tenant ID in Postman Application
- Go to Body -> select x-www-form-urlencoded and provide the below body as Key and Value pair
Ex: Provide grant_type as Key and client_credentials as Value
1 2 3 4 |
grant_type : client_credentials client_id : "<Client ID>” client_secret : ”<Secret Value>” resource: https : //management.azure.com/ |
4. The above API request will respond in JSON format, passing the value of the access_token key as a bearer token in all the REST API operations.
Create the Custom Role Using Azure REST API
- Use the REST API below to create the custom role, replace the value of the subscription ID and use the PUT
- Use the link below to generate a new UUID, use the same API, and request body value.
- Go to Headers and provide the data below as key and value pair.
1 2 |
Content-Type: application/json Authorization: Bearer <paste the generated bearer token in the previous step> |
- Provide the sample API Request body below in the Body -> select raw.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
{ "name": "<UUID Value which you generated>", "properties": { "roleName": "readonly_role_user", "description": "This role is created using REST API", "type": "CustomRole", "permissions": [ { "actions": [ "*/read" ], "notActions": [] } ], "assignableScopes": [ "/subscriptions/<subscriptionId>" ] } } |
Now, click on Send in the same request and get an appropriate response with the same rolename as the sample response below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
{ "properties": { "roleName": "readonly_role_user123", "type": "CustomRole", "description": "This role is created using REST API", "assignableScopes": [ "/subscriptions/<your subscription id>" ], "permissions": [ { "actions": [ "*/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "createdOn": "2023-07-18T06:00:15.2547378Z", "updatedOn": "2023-07-18T06:00:15.2547378Z", "createdBy": null, "updatedBy": "4adee83f-2a94-4507-bb62-7c1d7f802a50" }, "id": "/subscriptions/<your subscription id>/providers/Microsoft.Authorization/roleDefinitions/40182542-2530-11ee-be56-0242ac120002", "type": "Microsoft.Authorization/roleDefinitions", "name": "40182542-2530-11ee-be56-0242ac120002" } |
Assign the Custom Role to Principal ID Using Azure REST API
- Use the REST API below to assign the user’s custom role, replace the value of the subscription ID and use the PUT
- Use the link below to generate one newer UUID, use the same value in the above API, and use the UUID of created custom role for which we have used to create the role and pass the same in the request body.
- Go to Headers and provide the data below as key and value pair.
1 2 |
Content-Type: application/json Authorization: Bearer <paste the generated bearer token in the previous step> |
- Provide the sample API Request body below in the Body -> select raw.
1 2 3 4 5 6 |
{ "properties": { "roleDefinitionId": "/subscriptions/{subscriptionID}/providers/Microsoft.Authorization/roleDefinitions/{use UUID of created role } ", "principalId": "{ObjectID of User}" } } |
- Use the object ID of any user in an organization or tenant level and replace it with the UserID for whom you will assign this created custom role in the previous step.
- Now, click Send in the same request and get an appropriate response with the same rolename as shown below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
{ "properties": { "roleDefinitionId": "/subscriptions/<your subscriptionID>/providers/Microsoft.Authorization/roleDefinitions/40182542-2530-11ee-be56-0242ac120002", "principalId": "<principalID of an User>", "principalType": "User", "scope": "/subscriptions/<subscriptionID>", "condition": null, "conditionVersion": null, "createdOn": "2023-07-18T06:05:15.0772903Z", "updatedOn": "2023-07-18T06:05:15.8182412Z", "createdBy": null, "updatedBy": "4adee83f-2a94-4507-bb62-7c1d7f802a50", "delegatedManagedIdentityResourceId": null, "description": null }, "id": "/subscriptions/<subscriptionID>/providers/Microsoft.Authorization/roleAssignments/40182a42-2530-11ee-be56-0242ac120002", "type": "Microsoft.Authorization/roleAssignments", "name": "40182a42-2530-11ee-be56-0242ac120002" } |
Conclusion
Drop a query if you have any questions regarding Azure REST API and we will get back to you quickly.
Making IT Networks Enterprise-ready – Cloud Management Services
- Accelerated cloud migration
- End-to-end view of the cloud environment
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.
FAQs
1. Can we assign the same role to multiple users with the same steps above?
ANS: – Yes, we need to use the assigned role REST API to assign one more user, get the new principal ID of any user and replace it in the request body.
2. Can we create the roles based on the permissions to what resources we want to give?
ANS: – Yes, we must give those conditions in the actions key to creating a role sample request body.

WRITTEN BY Sridhar Andavarapu
Sridhar Andavarapu is a Senior Research Associate at CloudThat, specializing in AWS, Python, SQL, data analytics, and Generative AI. With extensive experience in building scalable data pipelines, interactive dashboards, and AI-driven analytics solutions, he helps businesses transform complex datasets into actionable insights. Passionate about emerging technologies, Sridhar actively researches and shares insights on AI, cloud analytics, and business intelligence. Through his work, he aims to bridge the gap between data and strategy, helping enterprises unlock the full potential of their analytics infrastructure.
Comments