| title | Azure RBAC Custom Roles |
|---|---|
| description | How to set up Azure custom roles for OpenOps Benchmark using RBAC |
| icon | microsoft |
import JoinCommunity from '/snippets/join-community.mdx'
OpenOps provides Azure custom role definitions to create RBAC roles in your Azure subscriptions with the necessary permissions to run benchmark assessments and collect cost optimization data.
Creates the OpenOps Azure Benchmark Reader custom role with read-only permissions for running Azure cost optimization benchmarks. This role includes:
- Compute resources: Virtual machines, managed disks, snapshots, and images
- Networking: Network interfaces and public IP addresses
- App Services: Web apps, App Service Plans, and App Service Environments
- Databases: Azure SQL servers, databases, and elastic pools
- Cost and billing: Cost Management queries, consumption usage details, and billing properties
- Monitoring: Azure Monitor metrics
- Optimization: Azure Advisor recommendations and metadata
Download Bicep template | Download JSON template
Parameters: AssignableScopes (required)
Before creating the custom role, you must configure the AssignableScopes parameter to specify where this role can be assigned.
Choose the appropriate scope for your deployment:
**JSON:** ```json "AssignableScopes": [ "/subscriptions/11111111-1111-1111-1111-111111111111" ] ```**Bicep parameter:**
```bash
--parameters assignableScopes='["/subscriptions/11111111-1111-1111-1111-111111111111"]'
```
**JSON:**
```json
"AssignableScopes": [
"/subscriptions/11111111-1111-1111-1111-111111111111",
"/subscriptions/22222222-2222-2222-2222-222222222222",
"/subscriptions/33333333-3333-3333-3333-333333333333"
]
```
**Bicep parameter:**
```bash
--parameters assignableScopes='["/subscriptions/11111111-1111-1111-1111-111111111111","/subscriptions/22222222-2222-2222-2222-222222222222","/subscriptions/33333333-3333-3333-3333-333333333333"]'
```
**JSON:**
```json
"AssignableScopes": [
"/providers/Microsoft.Management/managementGroups/my-management-group"
]
```
**Bicep parameter:**
```bash
--parameters assignableScopes='["/providers/Microsoft.Management/managementGroups/my-management-group"]'
```
- Update the
assignableScopesparameter in the command below with your subscription ID(s):
az deployment sub create \
--name openops-azure-benchmark-reader-role \
--location westus2 \
--template-file "./OpenOps Azure Benchmark Reader.role-definition.bicep" \
--parameters assignableScopes='["/subscriptions/<subscription-id>"]'- For multiple subscriptions:
az deployment sub create \
--name openops-azure-benchmark-reader-role \
--location westus2 \
--template-file "./OpenOps Azure Benchmark Reader.role-definition.bicep" \
--parameters assignableScopes='["/subscriptions/sub-1","/subscriptions/sub-2"]'Notes:
- This is a subscription-scoped deployment. For management group scope, see the management group configuration above
-
Edit the
AssignableScopesfield inOpenOps Azure Benchmark Reader.role-definition.jsonwith your subscription ID(s). -
Create the role:
az role definition create \
--role-definition "./OpenOps Azure Benchmark Reader.role-definition.json"- To update an existing role:
az role definition update \
--role-definition "./OpenOps Azure Benchmark Reader.role-definition.json"After creating the custom role, assign it to the service principal that OpenOps uses to connect to Azure.
az role assignment create \
--assignee-object-id "<service-principal-object-id>" \
--assignee-principal-type ServicePrincipal \
--role "OpenOps Azure Benchmark Reader" \
--scope "/subscriptions/11111111-1111-1111-1111-111111111111"Run the assignment once per subscription:
az role assignment create \
--assignee-object-id "<service-principal-object-id>" \
--assignee-principal-type ServicePrincipal \
--role "OpenOps Azure Benchmark Reader" \
--scope "/subscriptions/11111111-1111-1111-1111-111111111111"az role assignment create \
--assignee-object-id "<service-principal-object-id>" \
--assignee-principal-type ServicePrincipal \
--role "OpenOps Azure Benchmark Reader" \
--scope "/subscriptions/22222222-2222-2222-2222-222222222222"az role assignment create \
--assignee-object-id "<service-principal-object-id>" \
--assignee-principal-type ServicePrincipal \
--role "OpenOps Azure Benchmark Reader" \
--scope "/providers/Microsoft.Management/managementGroups/my-management-group"Verify the role definition was created:
az role definition list \
--name "OpenOps Azure Benchmark Reader" \
-o jsonCheck role assignments for your service principal:
az role assignment list \
--assignee "<service-principal-object-id>" \
--all \
-o tableFor subscription-scope cost queries, the role includes Microsoft.CostManagement/query/action for the POST query API.
Azure Cost Management access commonly requires related read permissions in billing and cost surfaces. This role includes:
Microsoft.CostManagement/query/actionMicrosoft.CostManagement/*/readMicrosoft.Consumption/*/readMicrosoft.Billing/billingPeriods/readMicrosoft.Billing/billingProperty/readMicrosoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/resourceGroups/read
For subscriptions under EA or certain billing setups, cost visibility may also depend on billing-side settings such as view charges access.
AssignableScopesis required for all Azure custom roles- A management group is above subscriptions in the Azure hierarchy
- If you use multiple subscriptions in
AssignableScopes, the role is limited to those subscriptions only - Role creation requires permission to manage custom roles for every scope listed in
AssignableScopes
You're welcome to download and modify the role definition according to your needs. Note that some OpenOps benchmark workflows may not function properly if required permissions are removed.