What Azure Role or Permission is required to Modify IP configurations on Network Adapters

Question

When using the Network Contributor role in Azure, I am unable to modify/edit an existing IP configuration on a Network Interface. When using Contributor, it works fine. Network Contributor is assigned on the resource group and is being inherited on the Network Interface.

What I am trying to achieve: With least privileges possible, I want to allow a user to switch the Private IP address setting between Dynamic or Static.

I am trying to avoid having to give Contributor access to the entire resource group. I am happy to create a Custom Role, but am unable to determine which Permissions to add to allow this capability. Does anyone know?

Error when attempting to Edit an existing configuration:

Incidentally, when attempting to Add a configuration, I am also unable to with Network Contributor, and receive this error message:

Error when attempting to Add:

Answer 1

This was a fun one!

although the documentation states that just contributor permissions are needed on the NIC to make changes, to change the private IP address between dynamic and static, you will also need contributor permissions on the VNET as well. I tested this with read permissions on the VNET but got a permissions error (like this should have given).

giving contributor permissions to a VNET to those who should not have it is not a great situation, why do you want users to have permissions to change the private ip allocation type?