Microsoft.Network/privateDnsZones/join/action action meaning

AdamBudzinskiAZA-0329 96 Reputation points
2023-01-31T12:18:32.5866667+00:00

Hi,

I’m unable to find what actual the following permission / action is responsible for:

 

Microsoft.Network/privateDnsZones/join/action

 

Could someone please explain ?

 

Thanks !

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
777 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
    2023-02-01T09:02:32.5566667+00:00

    Hello @AdamBudzinskiAZA-0329 ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know what the following permission/action "Microsoft.Network/privateDnsZones/join/action" is responsible for.

    "Microsoft.Network/privateDnsZones/join/action" is a resource provider operation which joins a Private DNS Zone to a private endpoint.

    User's image

    Refer: https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork

    It is used to reference a private DNS zone from a private endpoint resource. This action is used by private endpoints to do linked access checks.

    This is basically the action used in "Private DNS integration" section when creating a private endpoint where you Integrate the private endpoint with a new private DNS zone or adding an existing private DNS zone to a new private endpoint connection via private DNS zone group using Azure Portal/PowerShell/CLi/Rest.

    Refer: https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal#create-storage-account-with-a-private-endpoint

    https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#private-dns-zone-group

    This action is included in the "Private DNS Zone Contributor" build-in role with the following action "Microsoft.Network/privateDnsZones/*". The * in this action includes all the resource provider operations you find with "Microsoft.Network/privateDnsZones/" in this doc.

    Refer: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#private-dns-zone-contributor

    If you want to restrict some of the actions of "Private DNS Zone Contributor" build-in role and assign a custom role to a user, then you can select the actions from the resource provider operation list and allow only the ones you would like to grant them access to.

    So, if you want to make sure that a user is able to deploy a private endpoint with a new/existing private DNS zone integration, then you should allow this "Microsoft.Network/privateDnsZones/join/action" action in their role assignment over a scope where you want to grant them access.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.