Unit 3: Configure Custom Azure Roles

Why Custom Roles Exist

Built-in roles are designed for common use cases, but real organizations often need very specific permissions. Assigning a broad built-in role just because a narrow one doesn’t exist violates the principle of least privilege.

Custom roles allow you to define exactly which actions are allowed, and nothing more.

Characteristics of Custom Roles

• Stored in Microsoft Entra ID.
• Can be assigned at management group, subscription, or resource group scope.
• Can be reused across subscriptions.
• Each tenant can have up to 5,000 custom roles.

Custom roles are ideal for scenarios such as allowing billing visibility without allowing billing changes.

Creating Custom Roles

Custom roles can be created:

• Through the Azure portal UI.
• Using JSON templates.
• Via PowerShell, CLI, or REST API.

A custom role definition includes:

• A role name and description.
• Assignable scopes.
• Allowed actions.
• Explicitly denied actions.

Wildcards can be used, but they must be applied carefully to avoid over-permissioning.