Got it, let's walk through exactly how to set up a custom Azure role that restricts a user to only reading resource groups—no creating or deleting allowed. Here's the complete step-by-step process:

1. Create the Custom Role JSON Definition #

First, we'll define the role permissions in a JSON file. This script explicitly allows read access to resource groups and blocks write/delete actions.

Save the following content as resource-group-reader-role.json (replace your-subscription-id-here with your actual Azure subscription ID):

{
    "Name": "Resource Group Reader Only",
    "Id": null,
    "IsCustom": true,
    "Description": "Grants read access to resource groups; blocks creation and deletion",
    "Actions": [
        "Microsoft.Resources/subscriptions/resourceGroups/read"
    ],
    "NotActions": [
        "Microsoft.Resources/subscriptions/resourceGroups/write",
        "Microsoft.Resources/subscriptions/resourceGroups/delete"
    ],
    "AssignableScopes": [
        "/subscriptions/your-subscription-id-here"
    ]
}

2. Import the Custom Role via PowerShell #

Next, we'll use PowerShell to add this role to your Azure subscription. Note: If you're using the newer Az module instead of AzureRM, I've included commands for both.

Using AzureRM Module: #

# Log in to your Azure account
Connect-AzureRmAccount

# Import the role definition from the JSON file
New-AzureRMRoleDefinition -InputFile "path-to-your-json-file.json"

Using Az Module (Recommended for newer setups): #

# Log in to your Azure account
Connect-AzAccount

# Import the role definition from the JSON file
New-AzRoleDefinition -InputFile "path-to-your-json-file.json"

3. Assign the Custom Role to a User #

Once the role is created, you need to assign it to the target user. Again, commands for both AzureRM and Az modules are included:

Using AzureRM Module: #

# Replace these placeholders with your actual values
$subscriptionId = "your-subscription-id-here"
$userEmail = "target-user@yourdomain.com"
$roleName = "Resource Group Reader Only"

# Retrieve the role definition and user object
$role = Get-AzureRmRoleDefinition -Name $roleName
$user = Get-AzureRmADUser -UserPrincipalName $userEmail

# Assign the role to the user at the subscription scope
New-AzureRmRoleAssignment -ObjectId $user.Id -RoleDefinitionId $role.Id -Scope "/subscriptions/$subscriptionId"

Using Az Module: #

# Replace these placeholders with your actual values
$subscriptionId = "your-subscription-id-here"
$userEmail = "target-user@yourdomain.com"
$roleName = "Resource Group Reader Only"

# Retrieve the role definition and user object
$role = Get-AzRoleDefinition -Name $roleName
$user = Get-AzADUser -UserPrincipalName $userEmail

# Assign the role to the user at the subscription scope
New-AzRoleAssignment -ObjectId $user.Id -RoleDefinitionId $role.Id -Scope "/subscriptions/$subscriptionId"

Alternative: Assign via Azure Portal #

If you prefer a GUI approach:

• Open the Azure Portal, navigate to Subscriptions and select your subscription.
• Go to the Access control (IAM) tab.
• Click Add > Add role assignment.
• Search for and select your Resource Group Reader Only role.
• Switch to the Members tab, search for the target user, select them, then click Review + assign.

4. Verify the Permissions #

Have the test user log in to the Azure Portal. They should be able to view all resource groups, but any attempt to create a new resource group or delete an existing one will result in a "Permission denied" error.

内容的提问来源于stack exchange，提问作者Madhur Asati