I apologize about the delay but Custom RBAC Support is now available in Production. You are able to to create role definitions at the MG scope and assign them to inherited MGs and Subs.
There is a bug that is in the portal where the new custom role is not showing when you are trying to do a role assignment on an inherited child MG/Sub. This should be resolved soon and PowerShell, CLI, and API are all working. I will not do any announcements yet on the availability of the feature until the portal bug is fixed. Once that is fixed we will do blog announcements and I will mark the feature complete here.
When attempting to add the assignable scope for the Root Mgt group to a custom role, I receive an error that the Role's ID is not found.
Set-AzRoleDefinition : Cannot find role definition with id 'XXXXXXXX-b864-4ee0-acf3-02f576432070'.
I've tried setting it at each Mgt Group nested under the root but the same error is returned. Any suggestions?
59 votes13 comments · Azure Active Directory » Role-based Access Control · Flag idea as inappropriate… · Admin →
Just wanted to leave a quick update, we’re continuing to work on this feature and will share details in the near future.
/Stuart and Balaji
Any update here? I am automating our subscription creation process and need to have this capability.
I agree with this, my idea is slightly different and should be easier for the PG to implement.
Instead of a service tag for each PaaS Service by Region, I propose a Tag named "Fabric" or "AzureFabric" creating one for each region that contains the PaaS IP prefixes.