Yes, you can use a custom role instead of the built-in Virtual Machine Contributor role in Azure. Custom roles allow you to tailor permissions more precisely to your organization's needs, which can be beneficial if the built-in roles do not provide the exact level of access you require.
To create a custom role, you can start with an existing built-in role like Virtual Machine Contributor and modify it to include or exclude specific permissions. For example, if you want users to be able to start and stop virtual machines but not manage disks or install software, you can create a custom role that includes actions like `Microsoft.Compute/virtualMachines/start/action` and `Microsoft.Compute/virtualMachines/restart/action`, while excluding other actions that are part of the Virtual Machine Contributor role[1][5].
Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API[5]. Once created, these roles can be assigned to users, groups, or service principals at various scopes such as subscriptions, resource groups, or management groups[5].
Here is an example of how you might create a custom role using Azure PowerShell:
powershell
# Create a new PSRoleDefinition object
$role = New-Object Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition
# Set role properties
$role.Name = "Custom VM Operator"
$role.Description = "Can start and stop virtual machines."
$role.IsCustom = $true
# Add actions
$role.Actions.Add("Microsoft.Compute/virtualMachines/start/action")
$role.Actions.Add("Microsoft.Compute/virtualMachines/restart/action")
$role.Actions.Add("Microsoft.Compute/virtualMachines/read")
# Set assignable scopes
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/your-subscription-id")
# Create the custom role
New-AzRoleDefinition -Role $role
This custom role allows users to start, stop, and read virtual machines but does not include all the permissions of the Virtual Machine Contributor role[1][5].
Citations:
[1] https://docs.azure.cn/en-us/role-based-access-control/custom-roles-powershell
[2] https://docs.azure.cn/en-us/role-based-access-control/role-assignments-steps
[3] https://newhelptech.wordpress.com/2022/04/01/step-by-step-how-to-configuring-virtual-machine-role-based-access-control-rbac-in-microsoft-azure/
[4] https://www.examtopics.com/discussions/microsoft/view/78393-exam-az-104-topic-2-question-54-discussion/
[5] https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles
[6] https://docs.aviatrix.com/documentation/v7.0/accounts-and-users/custom-role-azure.html?expand=true
[7] https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
[8] https://stackoverflow.com/questions/23668154/allow-users-to-start-stop-particular-azure-vms