Share gallery resources across subscriptions and tenants with RBAC

As the Azure Compute Gallery, definition, and version are all resources, they can be shared using the built-in native Azure Roles-based Access Control (RBAC) roles. Using Azure RBAC roles you can share these resources to other users, service principals, and groups. You can even share access to individuals outside of the tenant they were created within. Once a user has access, they can use the gallery resources to deploy a VM or a Virtual Machine Scale Set. Here's the sharing matrix that helps understand what the user gets access to:

Shared with User Azure Compute Gallery Image Definition Image version
Azure Compute Gallery Yes Yes Yes
Image Definition No Yes Yes

We recommend sharing at the Gallery level for the best experience. We don't recommend sharing individual image versions. For more information about Azure RBAC, see Assign Azure roles.

There are three main ways to share images in an Azure Compute Gallery, depending on who you want to share with:

Sharing with: People Groups Service Principal All users in a specific subscription (or) tenant Publicly with all users in Azure
RBAC Sharing Yes Yes Yes No No
RBAC + Direct shared gallery Yes Yes Yes Yes No
RBAC + Community gallery Yes Yes Yes No Yes

You can also create an App registration to share images between tenants.


Please note that Images can be used with read permissions on them to deploy virtual machines and disks.

When utilizing the direct shared gallery, images are distributed widely to all users in a subscription/tenant, while the community gallery distributes images publicly. It is recommended to exercise caution when sharing images that contain intellectual property to prevent widespread distribution.

Share using RBAC

When you share a gallery using RBAC, you need to provide the imageID to anyone creating a VM or scale set from the image. There is no way for the person deploying the VM or scale set to list the images that were shared to them using RBAC.

If you share gallery resources to someone outside of your Azure tenant, they will need your tenantID to log in and have Azure verify they have access to the resource before they can use it within their own tenant. You will need to provide them with your tenantID, there is no way for someone outside your organization to query for your tenantID.


RBAC sharing can be used to share resources with users within the organization (or) users outside the organization (cross-tenant). Here are the instructions to consume an image shared with RBAC and create VM/VMSS:

RBAC - Shared within your organization

RBAC - Shared from another tenant

  1. On the page for your gallery, in the menu on the left, select Access control (IAM).
  2. Under Add, select Add role assignment. The Add role assignment page will open.
  3. Under Role, select Reader.
  4. Ensure that the user is selected in the Members tab.For Assign access to, keep the default of User, group, or service principal.
  5. Click Select members and choose a user account from the page that opens on the right.
  6. If the user is outside of your organization, you'll see the message This user will be sent an email that enables them to collaborate with Microsoft. Select the user with the email address and then click Save.

Next steps