Azure has a lot of pre-defined roles, but you can also create very specific roles with the help of Azure Powershell or Bash and a JSON config file. In this example, the user that gets this role is only able to start, stop, or restart a VM.

Start off by opening the cloud shell. If this is the first time opening it, a storage account must be created.

Create a new json config file and insert the following:

code role.json

{
"Name": "Virtual Machine Operator",
"IsCustom": true,
"Description": "Can deallocate, start and restart virtual machines.",
"Actions": [
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action"
],
"NotActions": [
, "AssignableScopes": [ "/subscriptions/xxxx" ]
}

You can save with CTRL+S and exit the visual editor with CTRL+Q.

The role grants read permission and allow to start, restart, and stop the VM. Do not forget to add your subscription id at the end (line 16).

When assigning a role the custom role should also be listed. You can either assign this role to a Resource Group or the VM directly.

References:

https://stackoverflow.com/questions/23668154/allow-users-to-start-stop-particular-azure-vms