Azure provides a number of build-in IAM roles. However, often those roles do not provide the right combination of permissions and/or are over-permissive.
Azure allows you to create a custom IAM role and assign specific permissions to it. To create a custom IAM role, please follow these steps:
1. Sign-in to the Microsoft Azure portal.
2. Navigate to "Subscriptions" and select your subscription.
3. In your subscription, choose the "Access Control (IAM)" page.
4. (Optional) Choose the "Roles" tab.
5. Click the "+ Add" button, and select "Add custom role" from the dropdown menu.
6. On the "Basics" tab, give your new role a meaningful name and description. Leave "Baseline permissions" as "Start from scratch".
7. On the "Permissions" tab, select the permissions required for your role.
8. On the "Assignable Scopes" tab, your Azure subscription will be pre-selected. Leave this as-is unless you know what you are doing.
9. Click "Review + Create" button.
10. Click the "Create" button.
You should now be able to assign the new role to an IAM user.