Menu
I'm trying to create a Custom Role in azure (RBAC). But when I execute the powershell command New-AzureRmRoleDefinition here is the message I get saying that I'm not authorized to create it.
> New-AzureRmRoleDefinition .\developer_access_rbac.json
New-AzureRmRoleDefinition : AuthorizationFailed: The client '[email protected]' with object id
'{guid}' does not have authorization to perform action
'Microsoft.Authorization/roleDefinitions/write' over scope
'/providers/Microsoft.Authorization/roleDefinitions/{guid}'.
At line:1 char:1
+ New-AzureRmRoleDefinition .\developer_access_rbac.json
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureRmRoleDefinition], CloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleDefinitionCommand
I asked from one of our administrators in our organization and he says the account [email protected] is already a Global Administrator. And in the active directory [email protected] is displayed as a Service Administrator.
I'm a little confused by these permission levels in azure. Can anyone explain to me how to acquire the needed permission to the account [email protected] for solving the issue.
588
asked Oct 20 '25 16:10
Taken from https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-custom-roles/#custom-roles-access-control:
Who can create a custom role? Owners (and User Access Administrators) of subscriptions, resource groups, and resources can create custom roles for use in those scopes. The user creating the role needs to be able to perform Microsoft.Authorization/roleDefinition/write operation on all the AssignableScopes of the role.
Who can modify a custom role? Owners (and User Access Administrators) of subscriptions, resource groups, and resources can modify custom roles in those scopes. Users need to be able to perform the Microsoft.Authorization/roleDefinition/write operation on all the AssignableScopes of a custom role.
Who can view custom roles? All built-in roles in Azure RBAC allow viewing of roles that are available for assignment. Users who can perform the Microsoft.Authorization/roleDefinition/read operation at a scope can view the RBAC roles that are available for assignment at that scope.
145
I actually came across this same issue and found the error to be misleading.
I had to clear the assignable scopes and then add one back.
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/12345678912345789123456789")
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With