question

ChakravarthiLolla-3593 avatar image
0 Votes"
ChakravarthiLolla-3593 asked ChakravarthiLolla-3593 commented

Permissions required to perform Azure VM resize operations

I have contributor role on an Azure VM. I am able to resize the VM from the portal without any issues. However, when i try to resize it from Azure PowerShell/Azure CLI, it says the below.

it does not have permission to perform action
'Microsoft.Network/networkInterfaces/join/action' on the linked scope(s) /subscriptions/xxxx/resourceGroups/RSG/providers/Microsoft.Network/networkInterfaces/xyz

Is the network contributor role mandatory to perform this action? I cant have network contributor role on the entire resource group so having network contributor role on the network interface suffice?

Also, how is it different from resizing it from the portal where it works absolutely fine with the contributor role itself. Is there a way/tweak to resize the VM through code with the contributor role itself?

azure-virtual-machines
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

PradeepKommaraju-MSFT avatar image
1 Vote"
PradeepKommaraju-MSFT answered ChakravarthiLolla-3593 commented

Hi @ChakravarthiLolla-3593

Thank you for contacting Microsoft Q&A forums .

Let me break my response in three parts :

1) In an IaaS world ,We have three major components of an VM : VM, NIC, Storage .
If you try to delete the VM from portal or any means you will still have the VNIC and OS disk in the RG/Subscription.
Hence for all the CRUD operations on the VM a user should be having access to Compute{VM}, Networking{VNIC} , Storage{OS Disk} .

 Speaking of your use case if you give the user permissions at the VNIC as Network contributor , 
 The command will still fail saying that user doesn’t have permissions on the OS Disk.
 So you will need to add the contributor level access on the OS Disk as well .

2) Coming to your second question of how this operation works in portal and doesn’t work in Azure CLI/PowerShell ?
The API’s behind the portal and CLI are different , Hence we see multiple features in either of them based on availability .
We are trying hard to ensure that all the mediums reach to a point where they act similarly .

3) Honestly speaking we are not aware of any tweaks that could by pass the RBAC Policies .
I am trying out few more possibilities and will get back to you soon.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,


We were able to achieve it by making a rest API call from PowerShell with the existing level of permissions.


Thanks

0 Votes 0 ·