Set up and manage self-service access to VMware resources

Once your VMware vSphere resources are enabled in Azure, the final step in setting up a self-service experience for your teams is to provide them with access. This article describes how to use built-in roles to manage granular access to VMware resources through Azure role-based access control (RBAC) and allow your teams to deploy and manage VMs.

Prerequisites

  • Your vCenter must be connected to Azure Arc.
  • Your vCenter resources such as Resourcepools/clusters/hosts, networks, templates, and datastores must be Arc-enabled.
  • You must have User Access Administrator or Owner role at the scope (resource group/subscription) to assign roles to other users.

Provide access to use Arc-enabled vSphere resources

To provision VMware VMs and change their size, add disks, change network interfaces, or delete them, your users need to have permissions on the compute, network, storage, and to the VM template resources that they'll use. These permissions are provided by the built-in Azure Arc VMware Private Cloud User role.

You must assign this role on individual resource pool (or cluster or host), network, datastore, and template that a user or a group needs to access.

  1. Go to the VMware vCenters list in Arc center.

  2. Search and select your vCenter.

  3. Navigate to the Resourcepools/clusters/hosts in vCenter inventory section in the table of contents.

  4. Find and select resourcepool (or cluster or host). This takes you to the Arc resource representing the resourcepool.

  5. Select Access control (IAM) in the table of contents.

  6. Select Add role assignments on the Grant access to this resource.

  7. Select Azure Arc VMware Private Cloud User role and select Next.

  8. Select Select members and search for the Microsoft Entra user or group that you want to provide access.

  9. Select the Microsoft Entra user or group name. Repeat this for each user or group to which you want to grant this permission.

  10. Select Review + assign to complete the role assignment.

  11. Repeat steps 3-9 for each datastore, network, and VM template that you want to provide access to.

If you have organized your vSphere resources into a resource group, you can provide the same role at the resource group scope.

Your users now have access to VMware vSphere cloud resources. However, your users also need to have permissions on the subscription/resource group where they would like to deploy and manage VMs.

Provide access to subscription or resource group where VMs will be deployed

In addition to having access to VMware vSphere resources through the Azure Arc VMware Private Cloud User, your users must have permissions on the subscription and resource group where they deploy and manage VMs.

The Azure Arc VMware VM Contributor role is a built-in role that provides permissions to conduct all VMware virtual machine operations.

  1. Go to the Azure portal.

  2. Search and navigate to the subscription or resource group to which you want to provide access.

  3. Select Access control (IAM) in the table of contents on the left.

  4. Select Add role assignments on the Grant access to this resource.

  5. Select Azure Arc VMware VM Contributor role and select Next.

  6. Select the option Select members, and search for the Microsoft Entra user or group that you want to provide access.

  7. Select the Microsoft Entra user or group name. Repeat this for each user or group to which you want to grant this permission.

  8. Select on Review + assign to complete the role assignment.

Next steps

Tutorial - Create a VM using Azure Arc-enabled vSphere.