Add custom role to user subscriptions?

Question

I am trying to create a custom role and add it to user subscriptions. The problem I am having is the values to put in the AssignableScopes value. It works find if I use the Default Provider Subscription,

"AssignableScopes":[
       "/subscriptions/648532af-d660-4e85-9de3-5cc5f018a70c"
    ]

However, I was unable to determine how to also include user subscriptions. However, if I try to use the SubscriptionId of a user subscription, it says it cannot find the subscription. Using Get-AzsUserSubscription I can try to use the Id property,

    "AssignableScopes":[
       "/subscriptions/648532af-d660-4e85-9de3-5cc5f018a70c/providers/Microsoft.Subscriptions.Admin/subscriptions/2a77aee8-5716-4ab0-a2f3-34e72c3f7871"
    ]

but this errors out with

New-AzureRmRoleDefinition : Scope '/subscriptions/648532af-d660-4e85-9de3-5cc5f018a70c/providers/Microsoft.Subscriptions.Admin/subscriptions/2a77aee8-5716-4ab0-a2f3-34e72c3f7871' should 
begin with '/subscriptions/<subid>/resourceGroups'.
At line:1 char:1

The role I am trying to add is a custom role for NetBackup. NetBackup requires access to backup VMs in user subscriptions. I do not see this as a NetBackup question.

Veritas NetBackup for Microsoft Azure Stack Administrator's Guide - Add Custom Role

It it possible as an Azure Stack Administrator to add custom role definitions to user subscriptions? What is the correct syntax for the items in AssignableScopes array?

Phil Bolduc · Answer 1 · 2019-09-03T17:13:37.957

0

I think discovered the answer and it makes sense from a security point of view. I have to login as a user with Owner rights of the target subscription and then I can add the role to the subscription.

edited Sep 03 '19 at 17:13

answered Sep 03 '19 at 17:03

Phil Bolduc

1,586
1
11
19

Add custom role to user subscriptions?

1 Answers1