Azure Custom Roles: Least-Privilege Write Access

Overview

Spotto provides JSON templates for creating custom Azure roles with minimal permissions for each write permission. These templates automatically reflect the specific permissions you've selected in the Spotto Portal.

Why Use Custom Roles

Custom roles provide:

Minimal permissions - Only grant the exact actions needed
Enhanced security - Reduce the attack surface
Better compliance - Meet strict security requirements
Granular control - Customize permissions for your organization

Custom roles allow you to grant only the exact permissions needed, rather than using broad built-in roles.

How to Use the Custom Role Templates

In the Cloud Accounts form, select the write permissions you want to enable
Expand the "Custom Role for Least Privilege" section
The section contains a JSON template tailored to your selected permissions
Click the copy button to copy the JSON template
Follow the instructions below to create the custom role in Azure

Creating a Custom Role in Azure

You can create a custom role using the JSON template in several ways:

Option 1: Azure Portal

Go to Subscriptions in the Azure Portal
Select your subscription
Navigate to Access Control (IAM)
Click Add > Add custom role
Click Start from JSON
Paste the JSON template from Spotto
Review and create the role
Assign the new custom role to your Spotto write access service principal

Option 2: Azure CLI

# Save the JSON template to a file (e.g., spotto-custom-role.json)
az role definition create --role-definition spotto-custom-role.json

Option 3: PowerShell

# Save the JSON template to a file (e.g., spotto-custom-role.json)
New-AzRoleDefinition -InputFile "spotto-custom-role.json"

Template Structure

Each JSON template includes:

roleName - The name for the custom role (e.g., "Spotto Access")
description - Description of what the role allows
assignableScopes - Subscription-level scope where the role can be assigned
permissions - The minimal required actions based on your selections

The template automatically combines permissions from all the write permissions you've enabled, ensuring you only grant the minimum access required.

Example Template

The template shown in the Spotto Portal combines all the permissions you've enabled.
The example below includes Advisor plus future Storage Inventory write provisioning actions:

{
  "properties": {
    "roleName": "Spotto Access",
    "description": "Custom role for Spotto with combined permissions for all enabled features",
    "assignableScopes": [
      "/subscriptions/{subscriptionId}"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Advisor/recommendations/suppressions/delete",
          "Microsoft.Advisor/recommendations/suppressions/write",
          "Microsoft.Advisor/recommendations/write",
          "Microsoft.Storage/storageAccounts/inventoryPolicies/read",
          "Microsoft.Storage/storageAccounts/inventoryPolicies/write"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}

Replace {subscriptionId} with your actual Azure subscription ID before creating the role.

Assigning the Custom Role

After creating the custom role:

Navigate to your Azure subscription
Go to Access Control (IAM)
Click Add > Add role assignment
Select your custom role (e.g., "Spotto Access")
Under Assign access to, choose User, group, or service principal
Click Select members, find your Spotto write access app (e.g., Spotto AI Write)
Click Review + assign

Updating Custom Roles

If you enable additional write permissions later:

Get the updated JSON template from the Spotto Portal
Update the role definition in Azure:
- Azure Portal: Edit the custom role and update the actions
- Azure CLI: az role definition update --role-definition spotto-custom-role.json
- PowerShell: Set-AzRoleDefinition -InputFile "spotto-custom-role.json"

Troubleshooting

`az role definition create` fails

What you're seeing: Azure CLI returns an error when creating the custom role.
Likely causes:

The JSON file is not valid or contains placeholder values (like {subscriptionId}).
Your user account lacks permission to create custom roles. How to fix:

Replace placeholders (especially {subscriptionId}) with real values before running the command.
Validate the JSON structure (a quick check is to open it in an editor with JSON validation).
Confirm you have Owner or User Access Administrator on the subscription (or ask an admin to create the role).

Changes don’t take effect immediately

What you're seeing: Spotto validation still fails right after you assign the role.
Likely causes: Azure role assignment propagation delay.
How to fix:

Wait 5–10 minutes after role assignment changes.
Re-run validation in Spotto.

Learn More

Next Steps

Advisor Recommendations - See detailed permissions required
Storage Inventory - Reader-only current state and future write scope
Security Best Practices - Learn about credential management
Troubleshooting - Resolve common issues

For further assistance, please Contact Us.

Overview​

Why Use Custom Roles​

How to Use the Custom Role Templates​

Creating a Custom Role in Azure​

Option 1: Azure Portal​

Option 2: Azure CLI​

Option 3: PowerShell​

Template Structure​

Example Template​

Assigning the Custom Role​

Updating Custom Roles​

Troubleshooting​

az role definition create fails​

Changes don’t take effect immediately​

Learn More​

Next Steps​