Hopefully I can answer your questions below.
Is this powershell need to be run from Octopus server.
Generating a GUID can be done from any location, because they are Globally Unique. The example I gave is a standard powershell command. Older versions of powershell may require the use of a different syntax
[guid]::NewGuid() which is just a direct call to the method of the underlying .NET type.
Is this role need to be present on octopus server? If we do not create this roles , by default I do see a role name “default Access” on azure portal while adding users from Azure AD.
You definitely need to create a new App Role in Azure.
First, you’ll create a new role in the Azure portal, using the manifest, as you have done, giving it your brand new GUID, and value of
octopusTesters (as an example)
Later, you’ll link that AAD Role, to a
Team in Octopus, using
octopusTesters as the RoleID, here
From the docs:
The value property is the most important one. This value becomes the external Role ID you will use later on when adding this role to a Team in Octopus Deploy.
You only need to all of this, if you want to connect Azure AD with Octopus teams. You can opt not to do this at all, in which case, users will simply authenticate with Azure AD instead and would not be mapped into an Octopus Team automatically.
what type of access they will get.
The permissions they will have inside of Octopus, depends on the team they have been added into. If you have an
Octopus Testers team, mapped to an AAD Role called
octopusTesters, then any users in that AAD Role will take on the permissions of the
Octopus Testers team.
This is controlled via User Roles and adding those to the team.
Hopefully I am helping to clarify, let me know if there is more information I can help you with here.