Search code examples
azure-climicrosoft-entra-id

Why Azure allowing to create and assign custom Azure RBAC definitions despite not having Microsoft Entra ID P1 or P2 license?

Issue: I was able to create and assign custom Azure RBAC definitions when I am not supposed to.

Symptoms: I was able to create and update custom Azure role definitions and assignments using Azure CLI commands even though I have Microsoft Entra ID Free license and such functionality requires Microsoft Entra ID P1 or Microsoft Entra ID P2.

Background: While learning about Azure through a book, I came across a lesson where you create a role definition and assignments using Azure CLI commands such as az role definition create and az role assignment create.

When I went to see the results in Azure Portal, I was provided with the message:

To create custom roles, your organization needs Microsoft Entra ID Premium P1 or P2. Start a free trial.

I was confused by this because the commands did not return errors but rather the expected successful JSON reply.

I confirmed the definitions and assignments using:

  • az role definition list and az role assignment list.
  • I also created a user account, and a blob in one of my storage accounts, and verified the assignment in Azure Portal as well.

Check attached screenshots.

Custom Roll Assignment Resource group reader JSON Resource group reader JSON Access to storage confirmed

Ask: I am sure this can't be right (Unless I am missing something). If that's the case, I wasn't sure where on GitHub I need to report such a problem or if a Microsoft representative would take that forward from here.

Solution

  • Note that, custom RBAC roles are different from custom directory roles.

    Custom RBAC roles are for managing Azure resources under subscription whereas custom directory roles are for managing Azure AD(Microsoft Entra) resources like users, groups, applications etc... at tenant level.

    Having either Owner or User Access Administrator role is enough to create custom RBAC definitions, that does not require any Premium P1 or P2 licenses.

    I created custom RBAC definition named "Custom Resource Group Reader" and able to fetch its role definition like this:

    az role definition list --name "Custom Resource Group Reader"

    Response:

    enter image description here

    You need Microsoft Entra ID Premium P1 or P2 licenses for creating custom directory roles, not custom RBAC definitions.

    When I tried to create custom directory role with Microsoft Entra ID Free license, I got same message as you in Portal like this:

    enter image description here

    After acquiring Microsoft Entra ID Premium P2 license, I'm able to create custom directory role successfully as below:

    enter image description here

    References:

    Create custom roles in Microsoft Entra role-based access control

    Azure custom roles - Azure RBAC | Microsoft