Wednesday, June 12, 2019

Azure Subscription and Registering Resources

There is an issue with Azure Role Based access (RBAC). Depending on who you listen to, this is a bug (I agree, it is a bug).

Scenario

  • You create a subscription and a resource group within it.
  • You assign someone as a contributor of the RG but not a contributor to the subscription (for a long list of reasons.
  • The user cannot create a resource in the resource group, the wizard complains about the subscription not having permissions to register the resource provider.

Reason
When one attempts to create a resource two things must be true (1) the user must have the correct permissions (they do, contributor to the resource group is more than sufficient) (2) The subscription impersonates the user using their access rights to register the resource type (e.g. a Virtual Machine, Disk, Whatever) as an allowable type of resource within the subscription (this is what fails).

It’s a bug because:
The Wizard should be registering the resource type at the RG level not the subscription level.

Solution
When you create a new subscription for a team, you need to pre-register the resource types as being allowable.
Logon to your tenant in PowerShell
Select the relevant subscription thus:

Select-AZSubscription “MyCoolSubscriptionName"

Register the resource types thus:

Get-AzResourceProvider -ListAvailable  |  ForEach-Object{Register-AzResourceProvider -ProviderNameSpace $_.ProviderNameSpace}

Cheers!

No comments:

Post a Comment