Content Comparison

...

b) 'Start from JSON'. Use the JSON template below. Fill your subscription id in the {subscription_id} field.

{
  "IsCustom": true,
  "Name": "CloudAware Collector Extended",
  "Description": "For collecting data about Blob Containers and VHDs we need to get access to the Storage Account keys as the default role Reader does not provide API access to these keys.",
  "Actions": [
    "Microsoft.Compute/virtualMachines/extensions/write",
    "Microsoft.Storage/storageAccounts/listKeys/action"
  ],
  "notActions": [],
  "assignableScopes": [
    "/subscriptions/{subscription_id}"
  ]
}

Commonly used Azure built-in roles:

...

Built-in Role

...

ID

...

Reader

...

acdd72a7-3385-48ef-bd42-f606fba81ae7

...

Contributor

...

b24988ac-6180-42a0-ab88-20f7382dd24c

...

Virtual Machine Contributor

...

d73bb868-a0df-4d4d-bd69-98a00b01fccb

...

Virtual Network Contributor

...

b34d265f-36f7-4a0d-a4d4-e158ca92e90f

...

Storage Account Contributor

...

...

Web Plan Contributor

...

2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b

...

SQL server Contributor

...

6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437

...

SQL DB Contributor

...

9b7fa17d-e63e-47b0-bb0a-15c516ac86ec

Read more

c) 'Clone a role'. Select one* of the existing roles and open the tab '.In case a custom role already exists in your environment, its JSON' to modify the permissions. The JSON body should look like the template below:

...

Replace {your-existing-Role-definition-id} with your role definition id. In the section "AssignableScopes" add the string "/subscriptions/{subscription-id}" with your {subscription-id}.

*Commonly used Azure built-in roles with necessary permissions:

Read more

4. Assign the custom role to a user in case you are adding a Native application, or to the application in case you are adding a Web app/API. By performing this action, you confirm access to your virtual machines to be granted to the appropriate user for potential data modification.

...