Share via

Azure Virtual Machine Contributor Role not sufficient for VM deployment

Kamal Ahmad 1 Reputation point
2021-06-14T18:31:52.313+00:00

Recently while I was working for one of the VM deployment, I gave the VM contributor role to Resource group where VM was going to be deployed, but I got error that insufficient permission to assign the NIC, when I did research and found that only VM contributor role is not sufficient for VM deployment and need to assign network IP allocation as well.
Network contributor role might be too big alongwith VM contributor so it is advisable to create customer role with VM Contributor alongwith some permission from network contributor role and it worked.

pls commend and give your feedback

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
9,072 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. kobulloc-MSFT 26,811 Reputation points Microsoft Employee Moderator
    2021-06-14T22:21:55.597+00:00

    @Kamal Ahmad , a custom role is what you want if the network contributor role grants too many permissions for your scenario. I'll walk you through all the documentation but let me know if you still need help!

    For managing NICs the recommendation is to have the network contributor role or a custom role:

    https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface#before-you-begin

    https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-public-ip-address#before-you-begin

    The account you log into, or connect to Azure with, must be assigned to the network contributor role or to a custom role that is assigned the appropriate actions listed in Permissions.

    If that ends up granting too many permissions for your scenario, then you would want a custom role:

    https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles

    Custom role example: 

    {  
  "Name": "Virtual Machine Operator",  
  "Id": "88888888-8888-8888-8888-888888888888",  
  "IsCustom": true,  
  "Description": "Can monitor and restart virtual machines.",  
  "Actions": [  
    "Microsoft.Storage/*/read",  
    "Microsoft.Network/*/read",  
    "Microsoft.Compute/*/read",  
    "Microsoft.Compute/virtualMachines/start/action",  
    "Microsoft.Compute/virtualMachines/restart/action",  
    "Microsoft.Authorization/*/read",  
    "Microsoft.ResourceHealth/availabilityStatuses/read",  
    "Microsoft.Resources/subscriptions/resourceGroups/read",  
    "Microsoft.Insights/alertRules/*",  
    "Microsoft.Insights/diagnosticSettings/*",  
    "Microsoft.Support/*"  
  ],  
  "NotActions": [],  
  "DataActions": [],  
  "NotDataActions": [],  
  "AssignableScopes": [  
    "/subscriptions/{subscriptionId1}",  
    "/subscriptions/{subscriptionId2}",  
    "/providers/Microsoft.Management/managementGroups/{groupId1}"  
  ]  
}

    Notice that "Actions" correlates to the "Actions" list provided in each built-in role description:

    105631-image.png

    Resources:

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.