What Azure permissions are required to create SQL Managed Instance?

  • Article

Azure SQL Managed Instance is a fully managed SQL Server Instance hosted in Azure cloud that is placed in your Azure VNet. Users who are creating instances need to have some permissions. In this post you will see the minimal permissions required to create managed instance.

If you are owner of your Azure subscription, you can create Azure SQL Managed Instances and configure all required networks settings. However, if you want to delegate this actions to someone, and you don't want to give him full rights, you would need to assign some special permissions to this role.

The minimal set of permissions that some role must have in order to create new managed instances is:

  • Microsoft.Resources/deployments/*
  • Microsoft.Sql/managedInstances/write
  • Microsoft.Sql/servers/write -> this is temporary requirement and it will be removed very soon

This role can create new instances in the existing configured subnet (i.e. the subnet where is deployed at least one instance in the past). However, this role cannot create instances in the new subnet because it don't have necessary permissions to configure the network. If you want to give permissions to configure managed instance in the empty subnet, you would need to add the following permissions to the role:

  • Microsoft.Network/networkSecurityGroups/write
  • Microsoft.Network/routeTables/write
  • Microsoft.Network/virtualNetworks/subnets/write
  • */join/action

These permissions enable role to create requires networks security group, route table and subnet with these objects.

You can add these permissions to the existing roles, or create new role using something like the following PowerShell script:

 Connect-AzureRmAccount
Select-AzureRmSubscription '......'
$role = Get-AzureRmRoleDefinition -Name Reader
$role.Name = "SQL Managed Instance Creator"
$role.Description = "Lets you create Azure SQL Managed Instance in the prepared network/subnet with virtual cluster."
$role.IsCustom = $true
$role.Actions.Add("Microsoft.Resources/deployments/*");
$role.Actions.Add("Microsoft.Sql/managedInstances/write");
# $role.Actions.Add("Microsoft.Sql/servers/write");# not needed anymore 
$role.Actions.Add("Microsoft.Network/networkSecurityGroups/write"); 
$role.Actions.Add("Microsoft.Network/routeTables/write"); 
$role.Actions.Add("Microsoft.Network/virtualNetworks/subnets/write"); 
$role.Actions.Add("*/join/action");
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/xxxxxx-xxxx-xxxx-xxx-xxxxxxxxx")
New-AzureRmRoleDefinition $role

Since these permissions can change, always check the latest documentation to find the latest rules.

NOTE: If you are setting the permissions using Azure portal, you might have problems to set "*/join/action" instead of "/join/action".