We went though some "minimal" AZURE training last week. The trainer guy said we could organize and "bill" other departments using "TAGS". BUT, some Googling/Binging didn't turn anything up... so here is what I did to create a custom RBAC AZURE role:
Save this file (after you edit the last part, of course) as TAG_reader.json:
{
"Name": "Tag Reader",
"IsCustom": true,
"Description": "Can read tags.",
"Actions": [
"Microsoft.Resources/subscriptions/tagNames/read",
"Microsoft.Resources/subscriptions/tagNames/tagValues/read"
],
"NotActions": [
],
"AssignableScopes": [
"/subscriptions/PUTYOURSUBSCRIPTIONIDHERE"
]
}
then log into AZURE POSH, and run:
New-AzureRmRoleDefinition -inputfile TAG_reader.json
Then assign the person/people to that group.
