Which roles do I need for Virtual Machine management (Lighthouse)?

lzap 56 Reputation points
2022-08-19T07:47:01.457+00:00

Hello,

I created a Lighthouse offer with Reader, Virtual Machine Contributor as well as other related Contributor roles and Delete Offer roles (see below). After onboarding, when I attempt to create new Virtual Machine via the Provider tennant, I get a permission error like so:

232708-image.png

What exactly am I missing? The Service Provider user account is in the group that was associated in the offer, it is also the administrator. So it must be a Role I am missing? My goal is to build an offer that will allow full VM management. Thanks.

These are the roles, I think I might need also to add some Storage and Networking roles:

[    
        {    
        "principalId": "67e78b19-6609-4ca8-aaf2-f0a26626ea05",    
        "roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7",    
        "principalIdDisplayName": "Read Any Resource"    
        },    
        {    
          "principalId": "67e78b19-6609-4ca8-aaf2-f0a26626ea05",    
          "roleDefinitionId": "91c1777a-f3dc-4fae-b103-61d183457e46",    
          "principalIdDisplayName": "Unregister MSP"    
        },    
        {    
          "principalId": "67e78b19-6609-4ca8-aaf2-f0a26626ea05",    
          "roleDefinitionId": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",    
          "principalIdDisplayName": "Manage Virtual Machines"    
        },    
        {    
          "principalId": "67e78b19-6609-4ca8-aaf2-f0a26626ea05",    
          "roleDefinitionId": "4d97b98b-1d4f-4787-a291-c67834d212e7",    
          "principalIdDisplayName": "Manage Networks"    
        },    
        {    
          "principalId": "67e78b19-6609-4ca8-aaf2-f0a26626ea05",    
          "roleDefinitionId": "ec156ff8-a8d1-4d15-830c-5b80698ca432",    
          "principalIdDisplayName": "Manage CDN profiles"    
        },    
        {    
          "principalId": "67e78b19-6609-4ca8-aaf2-f0a26626ea05",    
          "roleDefinitionId": "befefa01-2a29-4197-83a8-272ff33ce314",    
          "principalIdDisplayName": "Manage DNS Zones"    
        },    
        {    
          "principalId": "67e78b19-6609-4ca8-aaf2-f0a26626ea05",    
          "roleDefinitionId": "5e467623-bb1f-42f4-a55d-6e525e11384b",    
          "principalIdDisplayName": "Manage Storage Backups"    
        },    
        {    
          "principalId": "67e78b19-6609-4ca8-aaf2-f0a26626ea05",    
          "roleDefinitionId": "add466c9-e687-43fc-8d98-dfcf8d720be5",    
          "principalIdDisplayName": "Manage Data Box Service"    
        },    
        {    
          "principalId": "67e78b19-6609-4ca8-aaf2-f0a26626ea05",    
          "roleDefinitionId": "17d1049b-9a84-46fb-8f53-869881c3d3ab",    
          "principalIdDisplayName": "Manage Storage Account"    
        },    
        {    
          "principalId": "67e78b19-6609-4ca8-aaf2-f0a26626ea05",    
          "roleDefinitionId": "e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1",    
          "principalIdDisplayName": "Manage Storage Backup Account"    
        }    
      ]    
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,565 questions
Azure Lighthouse
Azure Lighthouse
An Azure service that provides secure managed services and access control for partners and customers.
72 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
719 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,562 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jackson Martins 10,136 Reputation points MVP
    2022-08-19T13:29:09.51+00:00

    Hi @lzap
    Did you register the resource provider for the subscription? like example:

    232877-image.png

    Reference: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#azure-portal

    You can also create a specific role for all users, to register a resource provider

    Get in touch if you need more help with this issue.

    --please don't forget to "[Accept the answer]" if the reply is helpful--


0 additional answers

Sort by: Most helpful