Skip to main content


Add a Custom Role Assignment

Custom roles are used to strengthen DNS Proxy application access rather than solely using Azure's built-in permissions. Follow the steps below to add a custom role assignment.

  1. Go to your Microsoft Azure Portal external_link.png.

  2. In the top search bar, type subscriptions and select Subscriptions from the results.

  3. Click on your subscription name and the Subscription page opens.

    • Select Access control (IAM) from the left-hand menu.

    • Click the Roles tab.

    • Click WT-AAD-plus-icon.jpgAdd and select Add custom role from the drop-down menu.

  4. On the Create a custom role page, click the JSON tab, and then click Edit.

  5. Copy the following JSON and paste it into the text box, overwriting the existing JSON text

        "properties": {
            "roleName": "AzureADAgent Resource Reader",
            "description": "Read ResourceGroups, Virtual Machine & Network Interface Data",
            "assignableScopes": [
            "permissions": [
                    "actions": [
                    "notActions": [],
                    "dataActions": [],
                    "notDataActions": []
  6. Click Next.

  7. Click Create and you have now created a custom role named AzureADAgent Resource Reader.


    It can take a number of minutes for a custom role to propagate throughout the tenant.

  8. Return to the Subscriptions page and select Access control (IAM) in the left-hand menu.

  9. Click the Roles tab and in the search bar and enter AzureADAgent Resource Reader.

  10. On the Subscriptions page, select Access control (IAM) in the left-hand menu and click Add Role Assignment. The Add role assignment window displays:

    • From the Role menu, select AzureAD Agent Resource Reader.

    • From the Assign access to menu, select User, group, or service principal.

    • From the Select menu, select DNSProxy.

  11. Click Save.