Build custom role definitions with actions, data actions, and scopes.
Last verified: April 2026
Output will appear here...The Azure RBAC Role Definition Builder helps you create custom role definitions for Azure Role-Based Access Control. While Azure provides hundreds of built-in roles, many organizations need custom roles that grant precisely the permissions required for specific job functions. This tool guides you through selecting actions, data actions, and assignable scopes, and generates the JSON role definition you can deploy via the Azure CLI, PowerShell, or ARM templates.
Create a custom role when no built-in role provides exactly the permissions you need. If a built-in role grants too many permissions (violating least privilege) or too few (requiring multiple role assignments), a custom role is the better approach. Custom roles are also useful for compliance scenarios requiring precise permission documentation.
Actions control management plane operations like creating, modifying, or deleting Azure resources. DataActions control data plane operations like reading blobs in a storage account, sending messages to a queue, or reading secrets from Key Vault. A custom role can include both types.
Each Microsoft Entra tenant supports up to 5,000 custom roles. Custom roles can be scoped to management groups, subscriptions, or resource groups using the assignableScopes property.
Your security team needs a custom role for the SOC analysts who should be able to read all Azure resources and Key Vault audit logs, but must not be able to read Key Vault secret values. You start with the built-in Reader role but discover it does not include Key Vault data plane access. Using the builder, you add Microsoft.KeyVault/vaults/*/read to Actions and add Microsoft.KeyVault/vaults/secrets/getSecret/action to NotDataActions, creating a role that gives visibility without exposing secrets.
The builder walks you through selecting management plane Actions (e.g., Microsoft.Compute/virtualMachines/read) and data plane DataActions (e.g., Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read) from categorized lists. It assembles these into the JSON role definition schema with Name, Description, Actions, NotActions, DataActions, NotDataActions, and AssignableScopes arrays, producing output compatible with az role definition create.
Start by cloning the closest built-in role and removing permissions rather than building from scratch. Azure has over 500 built-in roles and one of them is usually 80% of what you need. Use az role definition list --query "[?contains(roleName, 'Reader')]." to find candidates.
Wildcard actions like Microsoft.Compute/* grant ALL current AND future actions on that resource provider. When Microsoft adds new API operations, your custom role automatically gets them. Use explicit action lists for security-sensitive roles instead of wildcards to maintain least privilege.
Custom role assignableScopes determine WHERE the role can be assigned, not what it can do. A role scoped to a resource group can only be assigned within that resource group, even if its Actions list includes subscription-level operations. Use management group scope for roles that need to be reusable across subscriptions.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.