Skip to main content

WebTitan

Add a Custom Role Assignment

Custom roles are used to strengthen DNS Proxy application access rather than solely using Azure's built-in permissions. Follow the steps below to add a custom role assignment.

  1. Go to your Microsoft Azure Portal external_link.png.

  2. In the top search bar, type subscriptions and select Subscriptions from the results.

    WT-AAD-search-subscriptions.jpg

  3. Click on your subscription name and the Subscription page opens.

    WT-AAD-access-control-add-role_censored.jpg

    • Select Access control (IAM) from the left-hand menu.

    • Click the Roles tab.

    • Click WT-AAD-plus-icon.jpgAdd and select Add custom role from the drop-down menu.

  4. On the Create a custom role page, click the JSON tab, and then click Edit.

    WT-AAD-App-custom-role-JSON.jpg

  5. Copy the following JSON and paste it into the text box, overwriting the existing JSON text

    {
    "properties": {
        "roleName": "AzureADAgent Resource Reader",
        "description": "Read ResourceGroups, Virtual Machine & Network Interface Data",
        "assignableScopes": [
            "/subscriptions/3f51630f-4c88-4fba-b57a-5c39b5662a2f"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Network/networkInterfaces/diagnosticIdentity/read",
                    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read",
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.Compute/virtualMachines/instanceView/read",
                    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

  6. Click Next.

  7. Click Create and you have now created a custom role named AzureADAgent Resource Reader.

    Note

    It can take a number of minutes for a custom role to propagate throughout the tenant.

  8. Return to the Subscriptions page and select Access control (IAM) in the left-hand menu.

  9. Click the Roles tab and in the search bar and enter AzureADAgent Resource Reader.

  10. On the Subscriptions page, select Access control (IAM) in the left-hand menu and click Add Role Assignment. The Add role assignment window displays:

    WT-AAD-add-role-assignment-window.jpg

    • From the Role menu, select AzureAD Agent Resource Reader.

    • From the Assign access to menu, select User, group, or service principal.

    • From the Select menu, select DNSProxy.

  11. Click Save.

In this section: