Resource Locking Administrator Role

01 Sign in to the Azure Management Console.

02 Navigate to Azure Subscriptions blade at https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade.

03 Click on the name (link) of the Azure subscription that you want to examine.

04 In the blade navigation panel, choose Access control (IAM), and select the Roles tab to access the role definitions available for the selected subscription.

05 Select the CustomRole option from the Type dropdown list to return only the custom roles available within the subscription.

06 Select the custom role that you want to examine and choose View in the Details column.

07 Select the JSON tab and check the "actions" property value to identify the permissions defined for the selected role. If the "actions" property value does not include the following actions: "Microsoft.Authorization/locks/read", "Microsoft.Authorization/locks/write", and "Microsoft.Authorization/locks/delete", the selected Azure IAM role is not configured to manage resource locking within the selected subscription. If the role permissions include the specified actions, continue the Audit process with the next step.

08 Select the Assignments tab and check the assignments list to determine if the role is assigned to one or more IAM identities. If the assignments list is empty, the selected Azure IAM role is not assigned to an identity, therefore the role is not used to manage resource locking in the selected subscription.

09 Repeat steps no. 6 – 8 for each custom role available in the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each Microsoft Azure subscription created within your cloud account.

01 Run role definition list command (Windows/macOS/Linux) using built-in and custom query filters to list the names of all custom role definitions (i.e. IAM roles) created for the current Azure subscription:

az role definition list
  --custom-role-only true
  --query '[].{roleName:roleName}'
  --output table

02 The command output should return the name of each custom role available in the subscription:

RoleName
-----------------------
Web API Manager
API Service Contributor
Cloud Data Reader

03 Run role definition list command (OSX/Linux/UNIX) using the name of the custom role that you want to examine as the identifier parameter, to describe the permissions defined for the selected role:

az role definition list
  --name "Web API Manager"
  --query '[*].permissions[].actions[]'

04 The command output should return an array with the requested information:

[
  "microsoft.web/apimanagementaccounts/apis/read",
  "microsoft.web/apimanagementaccounts/apis/delete",
  "microsoft.web/apimanagementaccounts/apis/write"
]

05 Run role assignment list command (OSX/Linux/UNIX) using the name of the role that you want to examine as the identifier parameter, to describe the name of the identity associated with the selected role (assignee):

az role assignment list
--role "Web API Manager"
--query '[*].principalName'

06 The command output should return the requested information:

[]

07 Repeat steps no. 3 – 6 for each custom role available within the current Azure subscription.

08 Repeat steps no. 1 – 7 for each Microsoft Azure subscription created in your cloud account.

01 Sign in to the Azure Management Console.

02 Navigate to Azure Subscriptions blade at https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade.

03 Click on the name of the Azure subscription that you want to access.

04 In the blade navigation panel, choose Access control (IAM), and select the Roles tab to access the role definitions available for the selected subscription.

05 Choose Add and Add custom role to create a new Azure IAM custom role.

06 On the Create a custom role setup page, provide the following information:

1. For Basics, enter a unique name for the new role in the Custom role name box (e.g. "Resource Lock Administrator"), provide a short description in the Description box (optional), and choose Start from scratch for Baseline permissions. Choose Next to continue.
2. For Permissions, choose Add permissions, search for Microsoft.Authorization/locks, click on the permissions set returned, choose Actions and select the Read : Get management locks, Write : Add management locks, and Delete : Delete management locks permissions, then choose Add to attach the selected permissions to the new role definition. The permissions selected at this step will enable the role assignee to manage resource locks within the current subscription. Choose Next to continue the setup process.
3. For Assignable scopes, make sure that your Azure cloud subscription is listed in the Assignable scope section. The subscription listed on this page represents the scope where your custom role will be available for assignment. Choose Next to continue.
4. From JSON, you can view and download your custom role definition in JSON format. Choose Next to continue.
5. For Review + create, review the role configuration information, then choose Create to create your new custom role. Choose Ok to return to the Roles page.

07 Select the custom role created at the previous step and choose View in the Details column.

08 Select the Assignments tab and choose Add assignment to assign the role to an IAM identity by performing the following actions:

1. For Role, find and select the newly created custom role. Choose Next to continue.
2. For Members, select User, group, or service principal from Assign access to, choose + Select members, select the user to assign the role to, and choose Select. (Optional) You can add a short description for the role assignment in the Description box. Choose Next to continue.
3. For Review + assign, review the role assignment details, then choose Review + assign to assign the custom role to the specified user. The associated IAM user will be responsible for managing resource locks in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Microsoft Azure subscription created within your cloud account.

01 Create the role definition required for the new role and save the content to a JSON file named iam-custom-role-definition.json. Make sure that the following permissions are used: "Microsoft.Authorization/locks/read", "Microsoft.Authorization/locks/write", and "Microsoft.Authorization/locks/delete", to enable the role assignee to manage resource locks within the selected subscription. Replace the highlighted information, i.e. <azure-subscription-id>, with your own Azure subscription ID:

{
  "Name": "Resource Lock Administrator",
  "Description": "Manage Azure cloud resource locks",
  "Actions": [
    "Microsoft.Authorization/locks/read",
    "Microsoft.Authorization/locks/write",
    "Microsoft.Authorization/locks/delete"
  ],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": ["/subscriptions/<azure-subscription-id>"]
}

02 Run role definition create command (Windows/macOS/Linux) to create your new IAM custom role using the role definition created at the previous step (i.e. iam-custom-role-definition.json file). Replace <azure-subscription-id> with your own Azure subscription ID:

az role definition create
  --subscription <azure-subscription-id>
  --role-definition @iam-custom-role-definition.json

03 The command output should return the metadata available for the new custom role:

{
  "assignableScopes": [
    "/subscriptions/<azure-subscription-id>"
  ],
  "description": "Manage Azure cloud resource locks",
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/roleDefinitions/abcd1234-abcd-1234-abcd-1234abcd1234",
  "name": "abcd1234-abcd-1234-abcd-1234abcd1234",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/locks/read",
        "Microsoft.Authorization/locks/write",
        "Microsoft.Authorization/locks/delete"
      ],
      "dataActions": [],
      "notActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Resource Lock Administrator",
  "roleType": "CustomRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

04 Run role assignment create command (Windows/macOS/Linux) to assign the newly created role to an IAM user (i.e. assignee). Replace <iam-user-name> with the name of the IAM user that will be responsible for managing resource locks in the selected Azure subscription:

az role assignment create
  --role "Resource Lock Administrator"
  --assignee "<iam-user-name>"

05 The command output should return the role assignment information:

{
  "canDelegate": null,
  "condition": null,
  "conditionVersion": null,
  "description": null,
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/roleAssignments/1234abcd-1234-abcd-1234-abcd1234abcd",
  "name": "1234abcd-1234-abcd-1234-abcd1234abcd",
  "principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
  "principalType": "User",
  "roleDefinitionId": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/roleDefinitions/abcd1234-abcd-1234-abcd-1234abcd1234",
  "scope": "/subscriptions/<azure-subscription-id>",
  "type": "Microsoft.Authorization/roleAssignments"
}

06 Repeat steps no. 1 – 5 for each Microsoft Azure subscription created in your cloud account.