Azure has a lot of pre-defined roles, but you can also create very specific roles with the help of Azure Powershell or Bash and a JSON config file. In this example, the user that gets this role is only able to start, stop, or restart a VM.

Start off by opening the cloud shell. If this is the first time opening it, a storage account must be created.

Create a new json config file and insert the following:

code role.json

{
"Name": "Virtual Machine Operator",
"IsCustom": true,
"Description": "Can deallocate, start and restart virtual machines.",
"Actions": [
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action"
],
"NotActions": [
, "AssignableScopes": [ "/subscriptions/xxxx" ]
}

You can save with CTRL+S and exit the visual editor with CTRL+Q.

The role grants read permission and allow to start, restart, and stop the VM. Do not forget to add your subscription id at the end (line 16).

Create the role based off the template:

az role definition create --role-definition role.json

When assigning a role the custom role should also be listed. You can either assign this role to a Resource Group or the VM directly.

References:

https://stackoverflow.com/questions/23668154/allow-users-to-start-stop-particular-azure-vms