Azure portal VM start-stop permissions for guest user

Revisiting my older post on the subject:

I had created that custom role inside the particular VM I wanted to delegate access for. So, the custom role "VM-start-stop" or whatever was not available for another VM I had created in the same resource group. The point to note is that the role should be created with the desired scope - so, 

• if I navigate to the resource group --> IAM --> Add +  --> Add custom role, then that custom role would be available throughout that resource group. 
• if I navigate to Home --> Subscriptions --> (a particular subscription) --> IAM --> Add +  --> Add custom role, then that custom role would be available throughout that subscription.
• if I navigate to the VM and go to IAM --> Add + , I don't see the option to add a custom role.

https://stackoverflow.com/questions/23668154/allow-users-to-start-stop-particular-azure-vms

According to the stackoverflow post above, "Virtual Machine Contributor" role gives more permissions than we want to delegate. So, after trying out this role (which works for start/stop VMs, but also allows some more permissions), decided to recreate the permissions given in my earlier post. So, copy-pasting from the JSON tab of the previously created role, only the actions and dataActions parts in permissions,

"permissions": [

            {

                "actions": [

                    "Microsoft.Network/publicIPAddresses/read",

                    "Microsoft.Network/virtualNetworks/read",

                    "Microsoft.Network/loadBalancers/read",

                    "Microsoft.Network/networkInterfaces/read",

                    "Microsoft.Compute/virtualMachines/*/read",

                    "Microsoft.HybridCompute/machines/*/read",

                    "Microsoft.HybridConnectivity/endpoints/listCredentials/action",

                    "Microsoft.Compute/virtualMachines/start/action",

                    "Microsoft.Compute/virtualMachines/powerOff/action",

                    "Microsoft.Compute/virtualMachines/restart/action",

                    "Microsoft.Compute/virtualMachines/deallocate/action"

                ],

                "notActions": [],

                "dataActions": [

                    "Microsoft.Compute/virtualMachines/login/action",

                    "Microsoft.HybridCompute/machines/login/action"

                ],

                "notDataActions": []

            }

to a newly created custom role in the Resource Group, (we have to click Edit in the JSON tab, and then Save after entering the permissions).

Then, to see it under our VM, had to go to roles tab, choose the custom role filter, and then refresh.

Later, under Role Assignments, selected the VM contributor rule, and removed that role since it was too permissive.