Microsoft.Network/privateDnsZones/join/action action meaning

Question

Microsoft.Network/privateDnsZones/join/action action meaning

AdamBudzinskiAZA-0329 96

Hi,

I’m unable to find what actual the following permission / action is responsible for:

Microsoft.Network/privateDnsZones/join/action

Could someone please explain ?

Thanks !

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-02-02T12:30:01.53+00:00

@AdamBudzinskiAZA-0329 , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.
Santosh Satyawan Parab 0 Reputation points

2023-09-15T04:38:42.89+00:00

Hi @AdamBudzinskiAZA-0329 - create custom role -> while adding assignment -> just paste above role "Microsoft.Network/privateDnsZones/join/action" -> select microsoft network -> add role -> add->save

Accepted answer

0 additional answers

Your answer

GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-02-02T12:30:01.53+00:00

@AdamBudzinskiAZA-0329 , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.
Santosh Satyawan Parab 0 Reputation points

2023-09-15T04:38:42.89+00:00

Hi @AdamBudzinskiAZA-0329 - create custom role -> while adding assignment -> just paste above role "Microsoft.Network/privateDnsZones/join/action" -> select microsoft network -> add role -> add->save

Answer 1

GitaraniSharma-MSFT 50,096 Microsoft Employee Moderator

Hello @AdamBudzinskiAZA-0329 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know what the following permission/action "Microsoft.Network/privateDnsZones/join/action" is responsible for.

"Microsoft.Network/privateDnsZones/join/action" is a resource provider operation which joins a Private DNS Zone to a private endpoint.

User's image

Refer: https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork

It is used to reference a private DNS zone from a private endpoint resource. This action is used by private endpoints to do linked access checks.

This is basically the action used in "Private DNS integration" section when creating a private endpoint where you Integrate the private endpoint with a new private DNS zone or adding an existing private DNS zone to a new private endpoint connection via private DNS zone group using Azure Portal/PowerShell/CLi/Rest.

Refer: https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal#create-storage-account-with-a-private-endpoint

https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#private-dns-zone-group

This action is included in the "Private DNS Zone Contributor" build-in role with the following action "Microsoft.Network/privateDnsZones/*". The * in this action includes all the resource provider operations you find with "Microsoft.Network/privateDnsZones/" in this doc.

Refer: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#private-dns-zone-contributor

If you want to restrict some of the actions of "Private DNS Zone Contributor" build-in role and assign a custom role to a user, then you can select the actions from the resource provider operation list and allow only the ones you would like to grant them access to.

So, if you want to make sure that a user is able to deploy a private endpoint with a new/existing private DNS zone integration, then you should allow this "Microsoft.Network/privateDnsZones/join/action" action in their role assignment over a scope where you want to grant them access.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

AdamBudzinskiAZA-0329 96 Reputation points

2023-02-01T10:41:56.6666667+00:00

@GitaraniSharma-MSFT Hello, and thank your the quick response.

One question, as your wrote "adding an existing private DNS zone to a new private endpoint connection via private DNS zone group using Azure PowerShell/CLi/Rest."

You mentioned PowerShell,CLI, Rest. But isn't the private DNS zone group also created when I go inside an existing resource (for example, Storage Account) and create a private endpoint and select an existing private link zone (in my hub subscription?):

Can you please confirm?

Thanks !
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-02-01T11:12:31.8433333+00:00

@AdamBudzinskiAZA-0329 , apologies for the miss. Yes, you can add an existing private DNS zone to a new private endpoint connection via private DNS zone group using Azure portal as well. I'll update the answer to reflect it.
AdamBudzinskiAZA-0329 96 Reputation points

2023-02-01T12:22:42.7133333+00:00

@GitaraniSharma-MSFT Thank you, this is a very well written answer ! Last question, is there any reason why I can’t create the private DNS zone group at resource creation time? For example, when I create a new Storage Account, and select use private endpoint, configure the endpoint, and Integrate with Private DNZ zone it gives me only the option to automatically create a NEW private DNS zone in the resource group inside my spoke, rather than having the ability to select an existing private DNS Zone in the hub subscription ? I know that through CLI I can specify an existing private DNS zone for example when creating an AKS cluster.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-02-01T13:43:35.67+00:00

@AdamBudzinskiAZA-0329 , the drop-down should give you the list of existing private DNS zones in the same subscription.

However, if you are trying to add a private DNS zone from another subscription, then it may not be possible. I believe this is a portal limitation.

In such a case, you can select "No" in the private DNS integration section while creating the resource and then once the resource is created, you can browse to its private endpoint and then in the DNS configuration pane, you can click "Add configuration" and select an existing DNS zone from another subscription as below:
AdamBudzinskiAZA-0329 96 Reputation points

2023-02-01T13:54:29.54+00:00

Or I could create the private endpoint after the resource is craeted, since this allows my to select private DNS zones from all subscriptions:
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-02-01T14:04:33.0033333+00:00

@AdamBudzinskiAZA-0329 , yes, you can do that as well.

Do let us know if the above helps or you need further assistance on this issue.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
AdamBudzinskiAZA-0329 96 Reputation points

2023-02-02T15:07:19.27+00:00

@GitaraniSharma-MSFT Yes, all question have been answered. Thanks for your great support !
Flavien B 0 Reputation points

2025-05-12T19:50:14.04+00:00

The Contributor role for that should be sufficient as per the documentation but this doesn't seem true. It requires this Private DNS Zone Contributor role.

Share via

Microsoft.Network/privateDnsZones/join/action action meaning

0 additional answers

Your answer