In Enterprise organisations Role Base Access Delegation ("RBAC") is a must, since different departments maintain different systems. Microsoft Azure has of course also a RBAC options in Azure. In real life I ran into an issue in which some IT support staff should be able to restart as set virtual machines in Azure, but nothing more than that.

This specific role is not available in de default roles in Azure, but you can make a custom one. 

Step 1 - Find your subscription ID
To find your azure subscription ID do the following:    
  • Goto and login
  • In the left navigation bar, select the “Subscriptions” menu (or use the search resources bar)
  • Select your subscription
  • Make note of the number on the right pane (see example below)

Step 2 - Create a .json file
  • Open notepad 
  • Copy the code below and change the red part with your subscription ID (see step 1)
  • Save the file as "virtual_operator_role.json"
The virtual_operator_role.json file

  "Name": "Virtual Machine Operator",
  "Id": null,
  "IsCustom": true,
  "Description": "Can monitor and restart virtual machines.",
  "Actions": [
  "NotActions": [],
  "AssignableScopes": [
Step 3 - Apply the .json file
  • In the Azure Portal (https://portal.azurecom) click on 
  • The console window appears (if it is the first time you start a console window, you may asked to create or select a storage account).

  • Drag en drop the created file "virtual_operator_role.json" in the console, so it will be automatically uploaded to azure
  • Run the following command
az role definition create --role-definition "virtual_operator_role.json"

If you receive no error, the new custom role "Virtual Machine Operator" has been created. You can select it via the "Access Control (IAM)" option for every resource you want to delegate.

Many thanks to Salar Darwish !