Skip to main content

WebTitan

Add a Custom Role Assignment

[This is only needed if DNS Proxy requires an Azure Subscription ID to synch - Raimonds investigating]

[Subscription ID is hard coded into the script below, so if this topic is being used it will need to be a variable]

Follow the steps below to add a custom role assignment.

  1. Sign in to your Microsoft Azure portal at Microsoft Azure Portal external_link.png.

  2. Enter subscriptions in search and select subscriptions-icon.jpg Subscriptions to open the Subscription page.

  3. Select the subscription to which you deployed DNS Proxy and the Subscription page opens.

  4. From the side bar menu, select IAM-icon.jpgAccess control (IAM) and the Access control (IAM) page opens.

  5. Select Add > Add custom role and the Create a custom role page displays.

    WT-AAD-add-custom-role.jpg

  6. Select the JSON tab and select Edit.

  7. Copy the following JSON and paste it into the text box, overwriting the existing JSON:

    {
    "properties": {
        "roleName": "AzureADAgent Resource Reader",
        "description": "Read ResourceGroups, Virtual Machine & Network Interface Data",
        "assignableScopes": [
            "/subscriptions/3f51630f-4c88-4fba-b57a-5c39b5662a2f"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Network/networkInterfaces/diagnosticIdentity/read",
                    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read",
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.Compute/virtualMachines/instanceView/read",
                    "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

  8. Select Save to save the contents of the JSON text box and then select Next.

  9. Select Create. You have now created a custom role named AzureADAgent Resource Reader.

    Note

    It can take a number of minutes for a custom role to propagate throughout the tenant.

  10. Return to the Subscriptions page and from the side bar menu select IAM-icon.jpgAccess control (IAM). The Access control (IAM) page opens.

  11. Select the Roles tab and in the search bar and enter AzureADAgent Resource Reader.

  12. On the Subscriptions page, select Access control (IAM) in the left-hand menu and click Add Role Assignment. The Add role assignment window displays:

    WT-AAD-add-role-assignment-window.jpg

    • From the Role menu, select AzureAD Agent Resource Reader.

    • From the Assign access to menu, select User, group, or service principal.

    • From the Select menu, select DNSProxy.

  13. Click Save.

In this section: