Migrate to Innovate Summit:
Learn how migrating and modernizing to Azure can boost your business's performance, resilience, and security, enabling you to fully embrace AI.Register now
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Share gallery resources across subscriptions and tenants with RBAC
Article
As the Azure Compute Gallery, definition, and version are all resources, they can be shared using the built-in native Azure Roles-based Access Control (RBAC) roles. Using Azure RBAC roles you can share these resources to other users, service principals, and groups. You can even share access to individuals outside of the tenant they were created within. Once a user has access, they can use the gallery resources to deploy a VM or a Virtual Machine Scale Set. Here's the sharing matrix that helps understand what the user gets access to:
Shared with User
Azure Compute Gallery
Image Definition
Image version
Azure Compute Gallery
Yes
Yes
Yes
Image Definition
No
Yes
Yes
We recommend sharing at the Gallery level for the best experience. We don't recommend sharing individual image versions. For more information about Azure RBAC, see Assign Azure roles.
There are three main ways to share images in an Azure Compute Gallery, depending on who you want to share with:
You can also create an App registration to share images between tenants.
Note
Please note that Images can be used with read permissions on them to deploy virtual machines and disks.
When utilizing the direct shared gallery, images are distributed widely to all users in a subscription/tenant, while the community gallery distributes images publicly. It is recommended to exercise caution when sharing images that contain intellectual property to prevent widespread distribution.
Share using RBAC
When you share a gallery using RBAC, you need to provide the imageID to anyone creating a VM or scale set from the image. There is no way for the person deploying the VM or scale set to list the images that were shared to them using RBAC.
If you share gallery resources to someone outside of your Azure tenant, they will need your tenantID to log in and have Azure verify they have access to the resource before they can use it within their own tenant. You will need to provide them with your tenantID, there is no way for someone outside your organization to query for your tenantID.
Important
RBAC sharing can be used to share resources with users within the organization (or) users outside the organization (cross-tenant). Here are the instructions to consume an image shared with RBAC and create VM/VMSS:
On the page for your gallery, in the menu on the left, select Access control (IAM).
Under Add, select Add role assignment. The Add role assignment page will open.
Under Role, select Reader.
Ensure that the user is selected in the Members tab.For Assign access to, keep the default of User, group, or service principal.
Click Select members and choose a user account from the page that opens on the right.
If the user is outside of your organization, you'll see the message This user will be sent an email that enables them to collaborate with Microsoft. Select the user with the email address and then click Save.
To get the object ID of your gallery, use az sig show.
Azure CLI
az sig show \
--resource-group myGalleryRG \
--gallery-name myGallery \
--query id
Use the object ID as a scope, along with an email address and az role assignment create to give a user access to the Azure Compute Gallery. Replace <email address> and <gallery ID> with your own information.
Azure CLI
az role assignment create \
--role"Reader" \
--assignee<email address> \
--scope<gallery ID>
Use an email address and the Get-AzADUser cmdlet to get the object ID for the user, then use New-AzRoleAssignment to give them access to the gallery. Replace the example email, alinne_montes@contoso.com in this example, with your own information.
Azure PowerShell
# Get the object ID for the user$user = Get-AzADUser -StartsWith alinne_montes@contoso.com
# Grant access to the user for our galleryNew-AzRoleAssignment `
-ObjectId$user.Id `
-RoleDefinitionName Reader `
-ResourceName$gallery.Name `
-ResourceType Microsoft.Compute/galleries `
-ResourceGroupName$resourceGroup.ResourceGroupName