Azure RBAC Custom Roles

OpenOps provides Azure custom role definitions to create RBAC roles in your Azure subscriptions with the necessary permissions to run benchmark assessments and collect cost optimization data.

Available Custom Roles

OpenOps Azure Benchmark Reader

Creates the OpenOps Azure Benchmark Reader custom role with read-only permissions for running Azure cost optimization benchmarks. This role includes:

Compute resources: Virtual machines, managed disks, snapshots, and images
Networking: Network interfaces and public IP addresses
App Services: Web apps, App Service Plans, and App Service Environments
Databases: Azure SQL servers, databases, and elastic pools
Cost and billing: Cost Management queries, consumption usage details, and billing properties
Monitoring: Azure Monitor metrics
Optimization: Azure Advisor recommendations and metadata

Download Bicep template | Download JSON template Parameters: AssignableScopes (required)

Installation Steps

Before creating the custom role, you must configure the AssignableScopes parameter to specify where this role can be assigned.

Configure AssignableScopes

Choose the appropriate scope for your deployment:

Single subscription

JSON:

"AssignableScopes": [
  "/subscriptions/11111111-1111-1111-1111-111111111111"
]

Bicep parameter:

--parameters assignableScopes='["/subscriptions/11111111-1111-1111-1111-111111111111"]'

Multiple subscriptions

Use this when you want the role available in specific subscriptions but not across the entire management group.JSON:

"AssignableScopes": [
  "/subscriptions/11111111-1111-1111-1111-111111111111",
  "/subscriptions/22222222-2222-2222-2222-222222222222",
  "/subscriptions/33333333-3333-3333-3333-333333333333"
]

Bicep parameter:

--parameters assignableScopes='["/subscriptions/11111111-1111-1111-1111-111111111111","/subscriptions/22222222-2222-2222-2222-222222222222","/subscriptions/33333333-3333-3333-3333-333333333333"]'

Management group

Use this only if you want the custom role available across the entire management group scope.JSON:

"AssignableScopes": [
  "/providers/Microsoft.Management/managementGroups/my-management-group"
]

Bicep parameter:

--parameters assignableScopes='["/providers/Microsoft.Management/managementGroups/my-management-group"]'

Option 1: Deploy with Bicep (Recommended)

Update the assignableScopes parameter in the command below with your subscription ID(s):

az deployment sub create \
  --name openops-azure-benchmark-reader-role \
  --location westus2 \
  --template-file "./OpenOps Azure Benchmark Reader.role-definition.bicep" \
  --parameters assignableScopes='["/subscriptions/<subscription-id>"]'

For multiple subscriptions:

az deployment sub create \
  --name openops-azure-benchmark-reader-role \
  --location westus2 \
  --template-file "./OpenOps Azure Benchmark Reader.role-definition.bicep" \
  --parameters assignableScopes='["/subscriptions/sub-1","/subscriptions/sub-2"]'

Notes:

This is a subscription-scoped deployment. For management group scope, see the management group configuration above

Option 2: Deploy with Azure CLI and JSON

Edit the AssignableScopes field in OpenOps Azure Benchmark Reader.role-definition.json with your subscription ID(s).
Create the role:

az role definition create \
  --role-definition "./OpenOps Azure Benchmark Reader.role-definition.json"

To update an existing role:

az role definition update \
  --role-definition "./OpenOps Azure Benchmark Reader.role-definition.json"

Assign the Role to a Service Principal

After creating the custom role, assign it to the service principal that OpenOps uses to connect to Azure.

Assign at subscription scope

az role assignment create \
  --assignee-object-id "<service-principal-object-id>" \
  --assignee-principal-type ServicePrincipal \
  --role "OpenOps Azure Benchmark Reader" \
  --scope "/subscriptions/11111111-1111-1111-1111-111111111111"

Assign in multiple subscriptions

Run the assignment once per subscription:

az role assignment create \
  --assignee-object-id "<service-principal-object-id>" \
  --assignee-principal-type ServicePrincipal \
  --role "OpenOps Azure Benchmark Reader" \
  --scope "/subscriptions/11111111-1111-1111-1111-111111111111"

az role assignment create \
  --assignee-object-id "<service-principal-object-id>" \
  --assignee-principal-type ServicePrincipal \
  --role "OpenOps Azure Benchmark Reader" \
  --scope "/subscriptions/22222222-2222-2222-2222-222222222222"

Assign at management group scope

az role assignment create \
  --assignee-object-id "<service-principal-object-id>" \
  --assignee-principal-type ServicePrincipal \
  --role "OpenOps Azure Benchmark Reader" \
  --scope "/providers/Microsoft.Management/managementGroups/my-management-group"

Verification

Verify the role definition was created:

az role definition list \
  --name "OpenOps Azure Benchmark Reader" \
  -o json

Check role assignments for your service principal:

az role assignment list \
  --assignee "<service-principal-object-id>" \
  --all \
  -o table

Cost Management Access

For subscription-scope cost queries, the role includes Microsoft.CostManagement/query/action for the POST query API. Azure Cost Management access commonly requires related read permissions in billing and cost surfaces. This role includes:

Microsoft.CostManagement/query/action
Microsoft.CostManagement/*/read
Microsoft.Consumption/*/read
Microsoft.Billing/billingPeriods/read
Microsoft.Billing/billingProperty/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read

If you update the role and still get RBACAccessDenied, wait a few minutes and retry. Azure RBAC propagation is not always immediate.For subscriptions under EA or certain billing setups, cost visibility may also depend on billing-side settings such as view charges access.

Important Notes

AssignableScopes is required for all Azure custom roles
A management group is above subscriptions in the Azure hierarchy
If you use multiple subscriptions in AssignableScopes, the role is limited to those subscriptions only
Role creation requires permission to manage custom roles for every scope listed in AssignableScopes

Modification

You’re welcome to download and modify the role definition according to your needs. Note that some OpenOps benchmark workflows may not function properly if required permissions are removed.

Support

Feel free to join our Slack community if you have any questions or need help with your installation.

Introduction to OpenOps

Getting Started with OpenOps

FinOps Benchmark

Workflow Management

Cloud Access

AI Assistance

Reporting and Analytics

Paid Features

Integrations

Cookbook

Contributing to OpenOps

Available Custom Roles

OpenOps Azure Benchmark Reader

Installation Steps

Configure AssignableScopes

Option 1: Deploy with Bicep (Recommended)

Option 2: Deploy with Azure CLI and JSON

Assign the Role to a Service Principal

Assign at subscription scope

Assign in multiple subscriptions

Assign at management group scope

Verification

Cost Management Access

Important Notes

Modification

Support

Introduction to OpenOps

Getting Started with OpenOps

FinOps Benchmark

Workflow Management

Cloud Access

AI Assistance

Reporting and Analytics

Paid Features

Integrations

Cookbook

Contributing to OpenOps

​Available Custom Roles

​OpenOps Azure Benchmark Reader

​Installation Steps

​Configure AssignableScopes

​Option 1: Deploy with Bicep (Recommended)

​Option 2: Deploy with Azure CLI and JSON

​Assign the Role to a Service Principal

​Assign at subscription scope

​Assign in multiple subscriptions

​Assign at management group scope

​Verification

​Cost Management Access

​Important Notes

​Modification

​Support

Available Custom Roles

OpenOps Azure Benchmark Reader

Installation Steps

Configure AssignableScopes

Option 1: Deploy with Bicep (Recommended)

Option 2: Deploy with Azure CLI and JSON

Assign the Role to a Service Principal

Assign at subscription scope

Assign in multiple subscriptions

Assign at management group scope

Verification

Cost Management Access

Important Notes

Modification

Support