New-AzRoleDefinition -InputFile rbac.jsonIf you want to link Custom role to the top most root management group (that is always available), use an ID that corresponds with AAD Tenant ID GUID.
Adding a management group to AssignableScopes is currently in preview. This preview version is provided without a service level agreement
More details about progress:
| { | |
| "Name": "My MG Role", | |
| "Id": null, | |
| "IsCustom": true, | |
| "Description": "Contributor without reservation permission", | |
| "Actions": [ | |
| "*" | |
| ], | |
| "NotActions": [ | |
| "Microsoft.Authorization/*/Delete", | |
| "Microsoft.Authorization/*/Write" | |
| ], | |
| "DataActions": [ | |
| ], | |
| "NotDataActions": [ | |
| ], | |
| "AssignableScopes": [ | |
| "/providers/Microsoft.Management/managementGroups/46938462-5677-4c99-a776-7c286612e9bd" | |
| ] | |
| } |