Skip to content

AzureRoleDefinition

Parameters

Parameter Attribute DataType Description Allowed Values
CustomRoleName Key String Specifies a display name for the custom role definition.
Id Write String Specifies the unique identifier (GUID) of the role definition.
Description Write String Specifies a description for the custom role definition.
Actions Write StringArray[] Specifies the permitted control plane actions for the role definition.
NotActions Write StringArray[] Specifies the excluded control plane actions for the role definition.
DataActions Write StringArray[] Specifies the permitted data plane actions for the role definition.
NotDataActions Write StringArray[] Specifies the excluded data plane actions for the role definition.
AssignableScopes Write StringArray[] Specifies the assignable scopes for the role definition.
Ensure Write String Present ensures the instance exists, absent ensures it is removed. Present, Absent
Credential Write PSCredential Credentials of the workload's Admin
ApplicationId Write String Id of the Azure Active Directory application to authenticate with.
TenantId Write String Id of the Azure Active Directory tenant used for authentication.
ApplicationSecret Write PSCredential Secret of the Azure Active Directory application to authenticate with.
CertificateThumbprint Write String Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
ManagedIdentity Write Boolean Managed ID being used for authentication.
AccessTokens Write StringArray[] Access token used for authentication.

Description

This resource configures Azure RBAC custom role definitions. This resource only manages custom role definitions, not built-in roles. The account used must have sufficient permissions to manage role definitions, such as "Owner" or "User Access Administrator" at the appropriate scope.

Permissions

Examples

Example 1

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC
    node localhost
    {
        AzureRoleDefinition "AzureRoleDefinition-CustomRoleName"
        {
            Actions               = @("Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/start/action","Microsoft.Compute/virtualMachines/restart/action");
            ApplicationId         = $ApplicationId;
            AssignableScopes      = @("/subscriptions/00000000-0000-0000-0000-000000000000");
            CertificateThumbprint = $CertificateThumbprint;
            CustomRoleName        = "My Custom Role";
            Description           = "A custom role for managing virtual machines.";
            Ensure                = "Present";
            TenantId              = $TenantId;
        }
    }
}

Example 2

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC
    node localhost
    {
        AzureRoleDefinition "AzureRoleDefinition-CustomRoleName"
        {
            Actions               = @("Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/start/action","Microsoft.Compute/virtualMachines/restart/action","Microsoft.Compute/virtualMachines/deallocate/action");
            ApplicationId         = $ApplicationId;
            AssignableScopes      = @("/subscriptions/00000000-0000-0000-0000-000000000000");
            CertificateThumbprint = $CertificateThumbprint;
            CustomRoleName        = "My Custom Role";
            Description           = "An updated custom role for managing virtual machines."; #Drift
            Ensure                = "Present";
            TenantId              = $TenantId;
        }
    }
}

Example 3

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC
    node localhost
    {
        AzureRoleDefinition "AzureRoleDefinition-CustomRoleName"
        {
            ApplicationId         = $ApplicationId;
            CertificateThumbprint = $CertificateThumbprint;
            CustomRoleName        = "My Custom Role";
            Ensure                = "Absent";
            TenantId              = $TenantId;
        }
    }
}