create custom role assignment

• IT Administration Forum
• PowerShell Forum
• Community Forum
• PowerShell Group
• Earning as 4sysops member
• Member Ranks
• Member Leaderboard – This Month
• Member Leaderboard – This Year
• Member Leaderboard – All-time
• Author Leaderboard – 30 Days
• Author Leaderboard – 365 Days
• Cloud Computing
• Write for 4sysops

Create a custom role with Azure role-based access control (Azure RBAC) using PowerShell

4sysops - The online community for SysAdmins and DevOps

Create custom role definition

Assign a custom role to a user.

• Recent Posts

• Create a custom role with Azure role-based access control (Azure RBAC) using PowerShell - Wed, Jan 20 2021
• Step by step Deploying Docker Container to Azure using Azure CLI - Wed, Sep 2 2020
• Install Docker offline on Windows Server 2016 - Thu, Dec 6 2018

Even though Azure offers many built-in roles, it's sometimes necessary to create custom roles with a specific permission to meet a requirement. For example, you may need to remove the "Restart" and "Shutdown" Virtual Machine permissions for a user or an intern so that they don't accidently shut down a production VM. This is exactly the use case where you need custom roles. We will cover this example below and learn to create a custom role and assign it to a user using Azure PowerShell.

First things first. Log in to your Azure account using the command below from a PowerShell Console, assuming that you already have the Azure PowerShell module installed on your system. It will prompt you to provide the email address and password associated with your Azure account. Once submitted, it will sign in your account from PowerShell console.

If you have multiple Azure subscriptions, select the subscription where you want to work using the following commands:

Before you can proceed with creating a custom role, let's first quickly understand how to retrieve actions that can be allowed or restricted on a role. You can use the following cmdlet to list all the operations that are applicable on an Azure resource, such as "Virtual Machine," and select the actions that you want to control in a role, such as "Power off / restart Virtual Machine." These are highlighted in the following image.

List allowed operations on an Azure resource.jpg

Once you have the names of the operations, such as "Microsoft.Compute/virtualMachines/powerOff/action" and "Microsoft.Compute/virtualMachines/restart/action," then you can use the following JSON template to create a JSON file and mention the operation names under the "Actions" and "NotActions" properties. The "NotActions" property restricts the operation on a role, which is our use case. Be sure to change the value of the "AssignableScopes" property with the Subscription ID of your Azure subscription.

After updating your file, save it as "role.json" and use the following cmdlet to create the Custom Role with the definition defined in the JSON file:

Create new Azure custom role definition.jpg

Once the custom role definition is created, it can be verified using the following command:

Check Azure custom role definition.jpg

Now that you have created the Azure custom role definition, you can assign it to a user using the command below. Here you have to mention the sign-in name of the user, name of the role definition, and the resource group where you want to apply this custom role.

Assigning an Azure custom role definition to a user.jpg

After running the command, if you log in to Azure using the above-mentioned Azure account, go to the resource group, and attempt to restart or shut down the virtual machine, you will see an error message in the top right corner, as shown in the following image. This shows that the user is unauthorized to perform these actions on the Azure Virtual Machine, because you didn't allow these actions in your custom role definition.

Subscribe to 4sysops newsletter!

Azure custom roles provide more fine-grained control to customize roles and actions users can perform, compared to the Azure built-in roles. On top of that, Azure PowerShell makes it very simple to automate creating custom roles and keeping your role definitions as JSON files, which can also be treated as Infrastructure-as-Code to track changes in permissions and Azure roles. Once a custom role is created, with just a few Azure PowerShell commands, you can assign the role to users and enforce the custom permissions with ease and simplicity.

IT Administration News

• Windows 11 23H2 update KB5041585 fails to install, causes performance, Taskbar, search & other issues for many users – WinCentral
• Secret scanning for non-code GitHub surfaces is now generally available – GitHub Changelog
• Microsoft: Enable MFA or lose access to admin portals in October
• August 2024 Patch Tuesday – 90 vulnerabilities, 9 zero day
• Single-command Windows 11 system requirements bypass trick for unsupported PCs blocked – Neowin

Read All IT Administration News

Join our IT community and read articles without ads!

Do you want to write for 4sysops? We are looking for new authors.

Microsoft Entra PowerShell module, successor to the Azure AD PowerShell module

Install AWS CloudShell in a VPC

Search and delete Copilot data in Microsoft 365

Enable FIDO passkey authentication for IAM users in AWS

Setting up EC2 instance access to an S3 bucket using IAM and OpenTofu

Use PowerShell to deploy and access GPT-4o in Azure OpenAI Service

Microsoft Purview Audit Search Graph API: Retrieve audit logs from Microsoft 365 with PowerShell

Configuring external authentication methods in Microsoft 365 with Microsoft Entra ID

Integrate Microsoft Graph activity logs for Microsoft 365 with Azure Monitor

The new Microsoft 365 multitenant organization feature

Create an S3 bucket in AWS with OpenTofu

Disable Basic Authentication for SMTP AUTH in Exchange Online

Deregister an AMI and delete attached EBS snapshots in AWS with a script

Alternatives to RBAC application impersonation in Exchange Online

How to enable Azure App Service Automatic Scaling

Combining password policies for Active Directory and Entra ID (Azure AD)

OpenTofu example (Terraform fork): Create an EC2 instance in AWS

An Azure Storage Actions example

Assign an IPv6 address to an EC2 instance and configure components with a bash script

Assign (associate) an Elastic IP address to an EC2 instance with a bash script

Leave a reply click here to cancel the reply.

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Receive new post notifications

Subscribe to Newsletter

Follow 4sysops.

Please ask IT administration questions in the forums . Any other messages are welcome.

Log in with your credentials

or      Create an account

Forgot your details?

Create account.

Manage Azure Role Assignments Like a Pro with PowerShell

Today’s blog post is a little bit different. I have a couple of examples of how you can use PowerShell snippets and simple commandlets to get or set role assignmnets in your Azure Subscriptions.

PowerShell examples for managing Azure Role assignments

List all role assignments in a subscription, get all role assignments for a specific resource group, get all role assignments for a specific user, add a role assignment to a user, remove a role assignment for a user, remove all role assignments for a specific user, list all built-in roles, list all custom roles, create a custom role, update a custom role, delete a custom role, list all users or groups assigned to a specific role, list all permissions granted by a specific role, list all resource groups that a user has access to, create a role assignment for a service principal, powershell script to manage azure role assignments.

And now there is a script that combines some of these examples into one usable function:

I hope this was useful. Let me know if you liked the format of this blog and if you want me to include more of these examples.

Vukasin Terzic

Recent Update

• Writing your first Azure Terraform Configuration
• Transition from ARM Templates to Terraform with AI
• Getting started with Terraform for Azure
• Terraform Configuration Essentials: File Types, State Management, and Provider Selection
• Dynamically Managing Azure NSG Rules with PowerShell

Trending Tags

Retrieve azure resource group cost with powershell api.

The Future Of Azure Governance: Trends and Predictions

Further Reading

In my previous blog posts, I wrote about how simple PowerShell scripts can help speed up daily tasks for Azure administrators, and how you can convert them to your own API. One of these tasks is...

Azure Cost Optimization: 30 Ways to Save Money and Increase Efficiency

As organizations continue to migrate their applications and workloads to the cloud, managing and controlling cloud costs has become an increasingly critical issue. While Azure provides a robust s...

Custom PowerShell API for Azure Naming Policy

To continue our PowerShell API series, we have another example of a highly useful API that you can integrate into your environment. Choosing names for Azure resources can be a challenging task. ...

Create Custom Roles for Azure DevOps in Azure

By default, the Azure DevOps service principal that is used to run a CI/CD pipeline with Azure resources gets the Contributor role assigned. This role can create new services but sometimes the Azure pipeline has to execute a task that is outside of the scope of the Contributor role, for example, adding RBAC assignments or deleting locks.

In this post, I will show you how to create a custom role in Azure and how to assign it to the Azure DevOps service principal.

This post is part of “Microservice Series - From Zero to Hero” .

Create a new Azure Custom Role

In my next post , I want my Azure DevOps pipeline to be able to update my DNS records. Since the DNS zone is a very sensitive resource, I have added a lock so it can not be deleted. This lock also prevents the Azure DevOps pipeline from deleting DNS records. Additionally, the Contributor role of the pipeline service principal is not allowed to create new locks either. Since there is no built-in role for creating and deleting locks, I have to create my own.

To create a new role go to your subscription in the Azure portal, select the Access control (IAM) pane and then click Add under Create a custom role.

Add a custom role

In the Create a custom role window, provide a name and a description for your new role and then click on Permissions.

Provide a name and description for the new custom role

In the Permissions tab, click the Add permissions button and search for locks on the flyout. Select the Write and Delete permission from the Microsoft.Authorization/locks permission.

Configure the permissions

Go to the Review + create tab and click Create to create the new custom role.

Assign the Custom Role to the Azure DevOps Service Principal

After the new role is created, click on + Add and select Add role assignments on the Access control (IAM) pane of your subscription.

Add a new role assignment

This opens a flyout where you can search for the previously created custom role and also for the service principal of your Azure DevOps pipeline. If you do not know the service principal, go to your Azure Active Directory and select Enterprise applications. You should see Azure DevOps there.

Add the custom role to the service principal

After the role was assigned, go to the Role assignments tab of the Access control (IAM) pane and you should see the previously created role assignment there.

The role was assigned

Azure comes with a grave variety of pre-defined roles for your services and users. Though sometimes, you need special permissions that are not built-in. This is where custom roles come into play. You can create a role with all the permissions you need and assign this role to a user, group, or service principal. This post showed how to assign the new role to a service principal that is used by Azure DevOps and in my next post , I will show you how to use this service principal to update DNS records in a CI/CD pipeline.

Further Reading

Microservice series - from zero to hero.

I am working as a consultant and software architect on different projects that focus on microservices, DevOps, and Kubernetes. Many of my consulting jobs consist of explaining microservices, why th...

Deploy a Docker Container to Azure Functions using an Azure DevOps YAML Pipeline

In my last post, I created a YAML pipeline to build and deploy an Azure Function to Azure. Today, I will build the same Azure Function inside a Docker container and deploy the container to Azure. ...

Use Infrastructure as Code to deploy your Infrastructure with Azure DevOps

Back in the day developers had to go through a lengthy process to get new hardware deployed. Often it took several weeks and then there was still something missing or the wrong version of the neede...

Deploy KEDA and an Autoscaler using Azure DevOps Pipelines

Update DNS Records in an Azure DevOps Pipeline

Comments powered by Disqus .

• Skip to main content
• Skip to secondary menu
• Skip to primary sidebar
• Skip to footer

Elan Shudnow's Blog

Azure Management Groups and Custom RBAC Roles

November 10, 2019 by Elan Shudnow 2 Comments

Update (10/14/2021) – Custom RBAC Roles in Azure Management Groups is in Public Preview. Link here . It is advised to follow official guidance and use the below as expirimental only.

Azure Management Groups are containers that help you manage access, policy, and compliance across multiple subscriptions. Azure Management Groups provide a level of scope above subscriptions. You organize subscriptions into containers called “Management Groups” and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the Management Group. 

Role Based Access Control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. RBAC is an authorization system that provides fine-grained access management of Azure resources. A list of built-in RBAC roles are available here .

When built-in RBAC roles do not meet your needs, custom RBAC roles can be created which allows you to define what permissions a user has. These permissions can be an allow or an explicit deny.

When creating Management Groups, I have seen organizations struggle with applying Custom RBAC permissions to a Management Group and how it applies to the subscriptions within that Management Group.

Let’s take a look at creating a Management Group, creating a Custom RBAC role, assigning the Custom RBAC role to a Management Group, and how it applies to Azure Subscription(s) within that Management Group.

This article assumes you already have knowledge around the design of Management Groups and Custom RBAC roles. If you need more information on Management Group design, click here . If you need more information on Custom RBAC roles, click here . Sam Cogan also has a very good article on Custom RBAC Roles which you can view here .

Management Group Creation

In order to create our Management Group, go to All Services > search for management groups > click Management Groups.

The Tenant Root Group is the default Management Group that exists with all subscriptions assigned to the Tenant Root Group. Our goal is to create a new Management Group and move the Subscription we are targeting under the new Management Group. In our case, the subscription we are targeting is the Microsoft Partner Network subscription.

Create a new Management Group. We will call our new Management Group “ITDev” which means that any subscriptions that we have decided in design that we have a governance requirement that we require certain Azure Policy and certain RBAC controls to flow down from the ITDev Management Group to all subscriptions that will be within the ITDev Management Group without having to assign these policies and RBAC controls to every subscription manually.

To create the new Management Group, click “Add management group.”

Give the new Management Group an ID and a Display Name. We will use ITDev for both. Click Save.

We now see the ITDev Management Group.

Let’s move our Subscription to fall under the ITDev Management Group. In the Subscription, click the … and choose Move.

Choose the ITDev Management Group and click Save.

We no longer see our subscription under the Tenant Root Group.

However, if we go into the ITDev Management Group, we see our subscription there.

Custom RBAC Role Creation

Let’s use the Custom role example that I linked to earlier in the article. Again, that link is available here . The only thing I’m changing is the name by adding the word Custom to it.

The Custom role example is as follows:

As you can see in Assignable Scopes, you can define the subscriptions you want this Custom RBAC role to be available in. In order for this to work with Management Groups, you must change the AssignableScopes to a Management Group. Because we created the ITDev Management Group with an ID of ITDev, our assignable scope would be:

Therefore, our Custom RBAC role would become:

Go ahead and save this Custom RBAC role as a .json file. We saved our file as customrbacrole.json.

Login to Azure PowerShell using instructions provided here using Connect-AzAccount. Ensure you are connected to the correct subscription using instructions provided here using Set-AzContext.

Create the new Custom RBAC Role using New-AzRoleDefinition pointing to the JSON file we saved.

Testing Custom RBAC Role

We have a user “John Doe” that has no Directory Roles assigned.

The “John Doe” user is also not assigned to any Azure roles.

When this user signs into the Azure Portal, we can see John Doe does not have access to our Subscription nor any resources within the Subscription.

Let’s go back to the Azure Portal with our Administrator account and grant this user access at the Management Group to our custom RBAC role, “Custom Virtual Machine Operator.”

In Management Groups, go to ITDev and click details.

Click Access Control (IAM), click Add, and select Add role assignment.

Select the Custom Role we created, search for John Doe and add him and ensure John Doe becomes a selected member. Click Save.

If we go back to our Azure Subscription and go to Access Control (IAM), let’s again do a Check access.

We can now see the John Doe user is in the Custom Virtual Machine Operator RBAC Custom Role that is being inherited at the Management group scope since we added this Custom RBAC Role permission to John Doe at the Management Group hierarchy level.

Now let’s try signing in again to the Azure Portal as John Doe. This may take a few minutes for the permission to propagate. Once the permission propogates, you will see John Doe now has access to the Azure Subscription as well as resources he has been granted access to.

Let me know if you have any questions in the comments below.

Share this:

Reader interactions.

December 17, 2019 at 5:09 pm

How do you update your custom role when its assignable scope is only a management group? I cannot seem to figure out how to modify this via PowerShell as get-azroledefinition is associated to the context (aka subscription) your PowerShell is running as, not the management group that has the role definition.

December 17, 2019 at 8:54 pm

To modify: 1. $role = Get-AzRoleDefinition -Name “Custom Virtual Machine Operator” 2. $role.Actions.Add(“Microsoft.Insights/diagnosticSettings/*/read”) 3. Set-AzRoleDefinition -Role $role (Get-AzRoleDefinition -Name “Custom Virtual Machine Operator”).Actions

To delete: Need to add subscriptionID as an assignable scope. Then delete. 1. $role = Get-AzRoleDefinition -Name “Custom Virtual Machine Operator” 2. $role.AssignableScopes.Add(“/subscriptions/{SubscriptionID}”) 3. Get-AzRoleDefinition -Name “Custom Virtual Machine Operator” | Remove-AzRoleDefinition

Hope that helps.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Microsoft Cloud Solution Architect focused on Azure IaaS, PaaS, DevOps, Ansible, Terraform, ARM and PowerShell.

Previously a 6x Microsoft MVP in Exchange Server and Lync Server.

My hobbies include watching sports (Baseball, Football and Hockey) as well as Aviation.

• GRS Storage and BCDR Considerations
• Pre-creating Azure AD App for Azure Migrate
• Azure Runbooks Connecting to Exchange Online and Microsoft Graph
• Using Python 3.8.0 Azure Runbooks with Python Packages
• Preserving UNC Path after Azure Files Migration using DFS-N

Create Custom Roles RBAC in Intune

Hello everyone, I’m back with another exciting topic for today. Let’s learn how to Create Custom Roles (Role Base Access Control) in Intune. In this post, we’ll explore the RBAC roles available in Intune and the steps to create custom roles in Microsoft Intune.

A couple of weeks back, I met a friend whose organization (which is relatively small) is evaluating Intune for their device management. We were conversing on it, and he asked me how granular controls Intune can provide for any organization. Then I realized we should have a post on custom roles that can be referenced to create in your organizations.

Intune has some built-in roles and allows organizations to create custom roles per the requirements. The built-in roles cannot be edited, but we can assign them to the admins to perform their admin tasks. With custom roles, Intune provides granular controls , and we can create a role per our requirements.

You may ask why we need role-based access control in Intune, and the answer is simple: we cannot provide an Intune Service Admin role to everyone. A helpdesk person doesn’t need edit access to compliance policies or configuration profiles. They require just read access to view the policies or devices enrolled in Intune. If we provide full access to a helpdesk, there is a high chance of editing policies without their knowledge.

• Intune Application Deployment using MSI EXE IntuneWin Formats
• Protect Corporate Data using Data Loss Protection Policies with the Microsoft Purview Portal

Built-in Roles in Intune

Before jumping into creating, let’s discuss the Built-in roles that Intune provides by default. Intune provides 10 built-in roles. We can assign the roles to a group of users, but we cannot edit the names, permissions, or descriptions of these roles. Let’s see below the built-in roles available in Intune in the table.

You can check the custom roles available in Intune by logging in to Microsoft Intune admin centre > Tenant administration >> Roles . This will list all the built-in roles available in Intune. You can refer to the screenshot below.

The above mentioned Built-In roles are available for all tenants. Microsoft keeps updating and adding new roles. We can utilize these roles and restrict access to Intune as per the roles in your organization.

If you want a role where an admin can perform application management as well as policies and profiles, we can create a custom role and assign it to the custom role-based access control of the group.

Create Custom Roles in Intune

I hope you understand built-in roles and where they are being used. Now, let’s discuss custom roles in Intune. As mentioned above, the name suggests we can have a custom role per organizational requirements.

Before creating any role, please have a discussion with your security team or your operational team and define an RBAC model. Let’s see how we can make a custom role.

• Sign in to the  Microsoft Intune admin centre .
• Select  Tenant Administration  >  Roles .
• Click on Create >> Intune Role .

Provide the name and description for the custom role on the Basics page. In this example, I’m creating a custom role with L2-level access. After providing the Name and Description , click Next to proceed to the Permissions page.

The Permissions page is where we define the permissions for the role. All permissions are segregated into various categories. Under the categories, we have options to create, delete, read, update and Assign based on the permission category.

For our testing, I will edit permission for a few categories, like Device Configurations and Device Compliance. Under the Device configuration category, I’m providing permission to Create, Assign and Read the policies. So any admin with this role cannot delete or update the device configuration policies.

Under the Device Compliance policy permission category, I’m enabling Read, Update and Delete compliance policies. Also, I’m enabling a few other Read Only permissions under the Managed Apps and Mobile Apps categories.

At an L2 level, admins will have read-only access to most of the categories in Intune. So, for our testing, I have chosen a few categories. You can configure the categories as per your organizational requirements. Now click on Next and navigate to the Scope tags page.

Assign the Scope tags if you have any. Click Next to review your configured permissions and create the Custom Role. Once the custom role is created, you can view the custom role created under the roles section, and you can click on it and assign the roles to user groups.

If you observe the Roles page for the built-in roles under the type column, they are mentioned as built-in roles, but for the custom role, you can view the Custom Intune Role. Intune provides this to differentiate between custom and built-in roles.

Assign Custom Role to User Groups

We have successfully created the custom roles. Now, we need to assign the roles to user groups. Let’s see how we can assign the custom role to the user group. To assign the custom role, follow the steps below.

• Select  Tenant Administration  >  Roles . Select Custom Role for assignments.

Assigning custom roles to the admins is a bit different than regular assignments of apps or policies. Now click on Assignments. We need to create various types of assignments with scoping. Provide name and description for the assignment

Click Next to Admin Groups page. Now click on Add Groups. Search for groups, we have created an L2 Admin_testing group, adding the group under the admin groups. Users under this group will have access to Intune. Now click on Next to the Scope Groups page.

Under Scope groups, we need to add scope groups or all devices or all users. If you add a few groups, the admin group users will have access to this specific group of users or devices. If you want to control the access to specific departments, we can define the departments under the scope groups, else you can assign it to all users or devices.

I’m choosing all users for testing. Now click Next to the Scope tags page. Scope tags determine which objects admins can see. When you add scope tags, the admins who are in scope for this custom role can view/edit policies and profiles(based on the custom role) which has the same scope tags.

Let’s say, in our example, we can view compliance and configuration policies. If I add a scope tag to the custom role, I can view all the configuration or compliance policies that have the same scope tag tagged. Otherwise, I cannot view them even if I have read or edited access to compliance policies or configuration policies.

I do not have any scope tags, so proceed to the next screen to the Review + Create page, review all the settings, and if you need to make any changes, you can edit them before creating. Once you finalised the settings, Now click on Create.

This will create the L2 custom role. You can observe the assignment we created. Similarly, we can have multiple assignments for a single Intune custom role. This way, Intune provides organizations with very granular control over access.

So far, we have seen the step-by-step process to create a custom role and how to create a Assignment and assign it to specific user groups. Now let’s see how our assignment takes place when an admin with an L2 custom role is in the User Experience section.

User Experience

Now let’s see how it looks when an admin who is part of the custom role logs into the Intune console. I have a test account to which I have provided the above created custom role, signing to Intune using the test account credentials

Once I logged in, I clicked on compliance policies and selected create a new compliance policy, I was able to proceed till the end of the creation page, but when I clicked on create compliance policy, I got the above attached error stating I couldn’t create a compliance policy “ You don’t have enough permissions to update this configuration to one or more of your selected groups, contact your administrator” .

The error message is due to the fact that I didn’t give permission to create a compliance policy for the HTMD Custom role_L2 . Similarly, I can create a configuration policy as I have provided access to create it. This way, we can provide required admin access to Intune instead of full Intune access. Similarly, I can view the apps but not add any apps to Intune.

Intune is definitely great in providing organizations with the advantage of flexibility with custom roles. By creating custom roles that are tailored to their specific needs, admins can ensure that their organization’s data and devices are secure while also empowering their team members with the necessary permissions to perform their tasks efficiently.

This step-by-step guide and the best practices outlined above can help administrators design custom roles that balance granting sufficient permissions and maintaining tight security controls. Regularly reviewing and refining custom roles will contribute to more secure and efficiently managed endpoint solutions.

We are on WhatsApp . To get the latest step-by-step guides and news updates, Join our Channel.  Click here  – HTMD WhatsApp .

About Author  –  Narendra Kumar Malepati  (Naren) has 11+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on  Android, iOS, and MacOS .

Leave a Comment Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Introduction

The Human Capital Management Integration Specialist job role is often granted to users who are responsible for bulk-loading data into the Oracle HCM Cloud. However, this role grants access to additional tools, including HCM Extracts and all REST APIs, so it's recommended that you instead create custom roles and grant just the HCM Data Loader (HDL) functionality required.

• Integration specialist users who are responsible for defining data files, initiating bulk-loads, and monitoring existing integrations. This user type needs access to the HCM Data Loader tasks within the application.

Used by inbound integrations to upload files and initiate HCM Data Loader. These users shouldn't have access to the application or to monitor uploads other than the ones they've initiated. This tutorial explains how to grant access to the HCM Data Loader REST API for this purpose.

Business Object Access

When enabled, you can configure the individual business objects and product areas a role can bulk-load data with.

• Run HCM Data Loader to upload HCM Extracts generated files.
• Run Data Loader Process to upload files generated by transformation formulae.

To configure the HCM Extracts flow refer to the tutorial Initiate HCM Data Loader for HCM Extract Generated Files .

File Encryption

For HDL to decrypt your files you must encrypt them with the public fusion-key PGP key for the environment you're loading your file to.

The final task in this tutorial takes you through the steps to generate the fusion-key PGP certificate and extract the public key, which you'll use to encrypt your files.

In this tutorial, you will:

• Understand how to enable the HCM Data Loader security related features.
• Configure custom roles to grant access to HCM Data Loader .
• Configure business object access for your custom roles.
• Generate the fusion-key certificate and extract the public key.

Prerequisites

To complete the steps in this tutorial, you'll need:

• Access to the Security Console to create custom roles and extract the file encryption key.

Task 1: Enable Security Related Functionality

To enable these security features you'll need to log into the application with a user that has Configure HCM Data Loader task access (see Prerequisites for how to grant this.)

Enable Configuration of Role-Based Business Object Access

• Navigate to My Enterprise > Setup and Maintenance .
• Select the HCM Data Loader functional area.
• Click the Configure HCM Data Loader task.

• Search for the Enable Configuration of Role-Based Business Object Access parameter.

• Set the Override to Yes .
• Click Save .

Additionally, you'll need to provide access to the HCM Data Loader Business Object Access task to configure the business objects your roles can use HCM Data Loader with (see Prerequisites for how to grant this).

Restrict Access to Security Related Business Objects

• Access the Configure HCM Data Loader task as described above.
• Search for the Restrict Access to Security Related Business Objects parameter.

Task 2: Grant HCM Data Loader Access

In this step you'll create custom roles for accessing HCM Data Loader functionality.

Integration Specialist Access

• The View Business Objects task to review business object details and generate METADATA files.
• The Import and Load Data task to submit files for import and load and monitor status of all data sets.
• The Recent File Loads task to review recent data set status on any device.
• The Delete Stage Table Data task to maintain stage tables.
• The ability to import and export files for HCM Data Loader on the Oracle WebCenter Content server.
• Log into the application with Security Console access.
• Navigate to Tools > Security Console .
• Click Create Role .
• Specify a Role Name and provide a unique role code.
• Specify a Role Category of HCM - Job Role .
• Click Next to navigate to the Role Hierarchy page. Add these hierarchies:

• Save your changes.

You can now configure the business objects this role can load data with.

REST Access

Task 3: Configure Business Object Access

• Log into the application with a user who has access to the HCM Data Loader Business Object Access task (see Prerequisites for how to grant this).
• Click HCM Data Loader Business Object Access .
• In the Job and Abstract Roles table, search for and select your custom role.
• Click the Assign dropdown.

• Select one of the following options:
• Assign Individual Business Objects
• Assign All Business Objects in a Product Area
• Assign All Unrestricted Business Objects
• Assign All Business Objects, Including Security-Related Objects
• Search and select the business objects in the Search and Select Business Objects dialog box.
• Click Add to add the selected business objects to the role. An entry appears in the Assigned Business Objects section for each of the selected business objects.
• Select the product area in the Select Product Area dialog box.
• Click Add . A single entry appears for the product area in the Assigned Business Objects section.
• A warning message appears to indicate that users with this role can bulk-load data with any business object that doesn't load security-related data.
• Click Add to close the warning and continue. A single entry appears for all unrestricted business objects in the Assigned Business Objects section.
• A warning message appears to indicate that users with this role will be able to use the security-related objects only if they have the Load HCM Security Data function security privilege.
• Click Add to close the warning and continue. A single entry appears for all business objects in the Assigned Business Objects section.

Task 4: Create Common HCM Data Loader Custom Roles

• An Integration Specialist administrator role capable of loading data for any object and monitoring all data sets.
• An Integration Specialist role with restricted business object access.
• An external integration role restricted to loading payroll backfeed data with visibility of only the data sets they've submitted.

Integration Specialist - Unrestricted

• Use the Security Console to create a custom HCM Data Loader - Unrestricted role.
• Grant these role hierarchies:
• Save the custom role.
• Navigate to the HCM Data Loader Business Object Access task in Setup and Maintenance .
• Search for and select the HCM Data Loader - Unrestricted role.
• Click the Assign dropdown and select Assign All Business Objects, Including Security-Related Objects .
• Click Add to close the warning message.
• Save your changes. You can now assign this role to users who should be able to bulk-load data with any HCM Data Loader business object.

Integration Specialist - Restricted

• Use the Security Console to create a custom HCM Data Loader - {objects} role, replacing {objects} with a description of the business objects the role will have access to use, such as HCM Data Loader - Work Structures, or HCM Data Loader - Recruiting
• Search for and select your custom role.
• Use the Assign dropdown on the Assigned Business Objects table toolbar to assign access to the HCM Data Loader business objects and product areas users with this role should be able to use.
• Save your changes. You can now assign this role to users who should be able to bulk-load data with the HCM Data Loader business objects configured.

External User - Integration Specific

• Use the Security Console to create a custom External Payroll Backfeed role.
• Click Assign dropdown on the Assigned Business Objects table toolbar.
• Document Record
• Payroll Interface Inbound Record
• Third Party Payroll Interface Error
• Save your changes. You can now assign this role to the user account provided to your third-party payroll provider to upload payroll backfeed data.

Task 5: Generate a PGP Key Pair for Encrypting HDL Files

You're recommended to encrypt all files before loading them to the Oracle WebCenter Content server. Any user with access to the HCM Data Loader import account can download and read any file on that account, regardless of who created it.

HCM Data Loader decrypts files using the private fusion-key PGP key, so you need to generate this on your Oracle Cloud environment before loading encrypted files. You encrypt your files with the fusion-key public key.

• Sign into Oracle HCM Cloud with the IT Security Manager job role or privileges.
• Click the Certificates tab.
• Review the certificates that already exist. If the fusion-key certificate already exists, you can skip to the Extract the Public Key section. Otherwise, follow the steps to generate the fusion-key certificate.

Generate the fusion-key Certificate

• Click Generate to open the Generate dialog.

• Select a Certificate Type of PGP and specify these values:

• Click Save and Close . A confirmation message will appear, close it.

Extract the Public Key

• Click the Action choice menu button for the fusion-key record.
• Click Export > Public Key .

The fusion-key_pub.asc file will be downloaded. Save it to your desktop.

Related Links

• How You Enable Access to HCM Data Loader
• How You Configure HCM Data Loader Business Object Access
• Set up Encryption for File Transfer
• Tutorial: Using the HCM Data Loader REST API

Acknowledgements

• Authors - Ema Johnson (Senior Principal Product Manager)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel . Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center .

Configure Access to HCM Data Loader

August 2024

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Create and assign a custom role in Microsoft Entra ID

• 3 contributors

This article describes how to create new custom roles in Microsoft Entra ID. For the basics of custom roles, see the custom roles overview . The role can be assigned either at the directory-level scope or an app registration resource scope only.

Custom roles can be created in the Roles and administrators page of the Microsoft Entra admin center.

Prerequisites

• Microsoft Entra ID P1 or P2 license
• Privileged Role Administrator
• Microsoft.Graph module when using PowerShell
• Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer .

Create a role in the Microsoft Entra admin center

Create a new custom role to grant access to manage app registrations.

Steps in this article might vary slightly based on the portal you start from.

Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator .

Browse to Identity > Roles & admins > Roles & admins .

Select New custom role .

On the Basics tab, provide a name and description for the role.

You can clone the baseline permissions from a custom role but you can't clone a built-in role.

On the Permissions tab, select the permissions necessary to manage basic properties and credential properties of app registrations. For a detailed description of each permission, see Application registration subtypes and permissions in Microsoft Entra ID .

First, enter "credentials" in the search bar and select the microsoft.directory/applications/credentials/update permission.

Next, enter "basic" in the search bar, select the microsoft.directory/applications/basic/update permission, and then click Next .

On the Review + create tab, review the permissions and select Create .

Your custom role will show up in the list of available roles to assign.

Create a role using PowerShell

Use the Connect-MgGraph command to sign in to your tenant.

Create the custom role

Create a new role using the following PowerShell script:

Assign the custom role using PowerShell

Assign the role using the below PowerShell script:

Create a role with the Microsoft Graph API

Follow these steps:

Use the Create unifiedRoleDefinition API to create a custom role.

The "templateId": "GUID" is an optional parameter that's sent in the body depending on the requirement. If you have a requirement to create multiple different custom roles with common parameters, it's best to create a template and define a templateId value. You can generate a templateId value beforehand by using the PowerShell cmdlet (New-Guid).Guid .

Use the Create unifiedRoleAssignment API to assign the custom role.

Assign a custom role scoped to a resource

Like built-in roles, custom roles are assigned by default at the default organization-wide scope to grant access permissions over all app registrations in your organization. Additionally, custom roles and some relevant built-in roles (depending on the type of Microsoft Entra resource) can also be assigned at the scope of a single Microsoft Entra resource. This allows you to give the user the permission to update credentials and basic properties of a single app without having to create a second custom role.

Sign in to the Microsoft Entra admin center as at least a Application Developer .

Browse to Identity > Applications > App registrations .

Select the app registration to which you are granting access to manage. You might have to select All applications to see the complete list of app registrations in your Microsoft Entra organization.

In the app registration, select Roles and administrators . If you haven't already created one, instructions are in the preceding procedure .

Select the role to open the Assignments page.

Select Add assignment to add a user. The user will be granted any permissions over only the selected app registration.

Related content

• Microsoft Entra administrative roles forum
• Microsoft Entra built-in roles
• Comparison of default guest and member user permissions

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

How to create an Azure custom role that allows registering applications and service principals

I would like to create a least permission custom role in Azure to assign to a service principal that only allows the service principal to register Azure AD applications and service principals.

The "Contributor" standard role has all the needed rights but also a great many that are not needed, and I can't find anything in the list of available operations that seems to correspond to application registrations which could be used to produce a custom role.

It turns out the question is misguided - I had thought the assignment of Microsoft.Azure.ActiveDirectory permissions to the service principal was insufficient to create and edit app registrations. But it turns out I was just running up against a 5-10 minute lag between permissions being set in the Azure portal and the permissions taking effect. Granting the contributor role to the service principal just happened to take enough time for the original permissions to take effect.

• azure-active-directory

• Be careful not to confuse Azure RBAC roles , Azure AD application permissions , and Azure AD directory roles . These are different things, which give permissions in different systems. –  Philippe Signoret Commented Nov 6, 2018 at 10:04

2 Answers 2

AFAIK, you would not need to create a custom role in Azure to allow registering Azure AD Applications and Service Principals.

Who can register an application through Azure AD is controlled by user's membership in Azure Active Directory itself and their "Directory Role" in that Azure AD for some operations but not the usual RBAC built-in or custom roles which you are looking at (as you mention the list of ARM Resource Provider operations in your question)

Please refer to this Microsoft Documentation: Who has permission to add applications to my Azure AD instance?

UPDATE: Answering query from comments after Simon's edit to original question.

How to provide application registration privileges to a service principal?

Again, you will not use RBAC roles or create custom roles as you mention in your question but instead provide specific " application permissions " to the relevant Service Principal in Azure AD. I'll give steps below.

• Go to your Azure AD, "Registered applications"
• Find your service principal (may need to look at all applications instead of just my)
• Add required permissions as shown below:

Once you've selected the right permissions and done. Please click on "Grant Permissions" because these permissions need Admin consent.

• Sorry, I omitted that the role is for assignment to a service principal. Will look into your suggestions –  Simon Hardman Commented Nov 6, 2018 at 2:41
• @SimonHardman, no worries, the concepts stay similar, I had answered something very similar to your query in this SO post a little earlier.. stackoverflow.com/questions/53009509/… . I'll edit my answer to include that information. You can try it out. –  Rohit Saigal Commented Nov 6, 2018 at 2:44
• @SimonHardman I've updated my answer and done a brief test at my end as well.. I created an app using the service principal (logged in as the service principal) and app registration worked fine. Do notice the application permissions I'm using, they are just a little different than the other similar post I mentioned above –  Rohit Saigal Commented Nov 6, 2018 at 3:53

Use a custom AAD role as described here .

This is preferable to granting the built-in " Application Developer " role because it's too permissive and has the 250 App limit..

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged azure azure-active-directory or ask your own question .

• Featured on Meta
• We've made changes to our Terms of Service & Privacy Policy - July 2024
• Bringing clarity to status tag usage on meta sites
• Feedback requested: How do you use tag hover descriptions for curating and do...

Hot Network Questions

• Generating Carmichaeal numbers in polynomial time
• Are epochs the same as data duplication?
• Is a Taproot output with unparseable x-only pubkey unspendable?
• How common is it for external contractors to manage internal teams, and how can we navigate this situation?
• Trying to identify manufacturer logo .. circle with circle inside
• Is the Garmin Edge 530 still a good choice for a beginner in 2024?
• Can You Build a Propeller or Airfoil for a Higgs Field?
• How Subjective is Entropy Really?
• Move line matching string to top of the file
• putting each character of multiple lines into a register corresponding to its relative position in the line
• For applying to a STEM research position at a U.S. research university, should a resume include a photo?
• Optimal Algorithm to Append and Access Tree Data
• One of my grammar books written by a Japanese teacher/Japanese teachers
• What if something goes wrong during the seven minutes of terror?
• Why do decimal reciprocals pair to 9?
• One number grid, two ways to divide it
• Could a gas giant still be low on the horizon from the equator of a tidally locked moon?
• Does a cube under high pressure transform into a ball?
• Has technology regressed in the Alien universe?
• Problem with enumeration in Texlive 2023
• On the definition on almost sure convergence
• If I purchase a house through an installment sale, can I use it as collateral for a loan?
• Can science inform philosophy?
• How to install a second ground bar on a Square D Homeline subpanel