![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 97%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPV%3C/text%3E%3C/svg%3E)
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,498 questions
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to restrict users from creating unauthorized VNET Peerings.
You can do this in a couple of ways:
Use RBAC least privilege custom roles:
- See : Only grant the access users need
- The required permissions for updating a Peering are : See here
- or a Network Contributor role.
- Make sure the unauthorized users are not presented with the above role or a custom role with the above listed permissions.
Use VNET Read-only Lock:
- To create or delete management locks, you need access to
Microsoft.Authorization/*orMicrosoft.Authorization/locks/*actions. - Users assigned to the Owner and the User Access Administrator roles have the required access to create or delete the Lock of the VNET.
- ReadOnly means authorized users can read a resource, but they can't delete or update it. Applying this lock is similar to restricting all authorized users to the permissions that the Reader role provides
Please let us know if we can be of any further assistance here.
Thanks,
Kapil
Please Accept an answer if correct.
Original posters help the community find answers faster by identifying the correct answer.