![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 49%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,775 questions
Hello @Manchukonda Kranthi Kumar ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know if you assign a user with the network contributor role on a load balancer, will he be able to add backend VMs on to the load balancer with no other additional assigned permissions.
No, assigning a user with the "Network Contributor" role on a load balancer in Azure does not grant them the ability to add backend virtual machines (VMs) to the load balancer.
The "Network Contributor" role provides permissions to manage network resources such as virtual networks, subnets, network interfaces, and IP addresses. While it does grant certain permissions related to load balancers, such as managing load balancing rules and probes, it does not provide the necessary permissions to add or modify backend VMs associated with the load balancer.
To add backend VMs to a load balancer, the user would require additional permissions, specifically the "Virtual Machine Contributor" role or higher. The "Virtual Machine Contributor" role grants the necessary permissions to manage virtual machines, including the ability to add, modify, and delete VMs.
Therefore, to allow a user to add backend VMs to a load balancer, you would need to assign them the "Virtual Machine Contributor" role or a role that includes it, such as the "Contributor" or "Owner" roles.
The "Contributor" role provides full access to all resources, including the ability to create, read, update, and delete resources but does not grant permissions to manage access control.
In addition to the "Contributor" role, you can create a custom role with specific permissions to add a backend pool to a load balancer. The custom role should have the following permissions:
- Microsoft.Network/loadBalancers/backendAddressPools/read
- Microsoft.Network/loadBalancers/backendAddressPools/write
- Microsoft.Network/loadBalancers/backendAddressPools/delete
- Microsoft.Network/loadBalancers/backendAddressPools/join/action
These permissions allow the user or role to read, create, delete, and modify backend address pools within the Azure Load Balancer.
Please note that granting permissions at a granular level is recommended to follow the principle of least privilege. You should carefully consider the specific permissions required and avoid assigning excessive permissions that are not necessary for the task at hand.
https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-create
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 18%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)