Using RBAC on Azure

I have worked with RBAC on Azure and there are few things what you need to remember when configuring RBAC rights. You need to remember that resource providers which are used needs to be registered before delegating rights. Following blog post will describe you the steps how you can register RPs.

Let´s assume that we have brand new Azure subscription. Then we will create new Resource Group and delegate for example owner or contributor rights to account of earlier created RG. When user login to Azure portal and try to create for example new VM it will get error message like:
RBAC001

Reason for this error message is that user account does not have needed rights to register Resource Provider. When resource group owner created new VM, Azure tried to register this provider using his authorization. However, to register provider, we need subscription level permission. So the operation failed.

Resolution:
a. Open Powershell with admin permissions;
b. Log on Azure Account with the Service Admin or Co-Admin account with the command: add-AzureRmAccount

c. List subscriptions:

RBAC002

d. Select correct subscription:

RBAC003

e. List currently registered Resource Providers:

RBAC004

f. Register needed RPs:

RBAC005

Done. Now RG owner can create VMs.

You can list all available RPs with following command:

RBAC006

and then register all the needed RPs.

Leave a Reply

Your email address will not be published. Required fields are marked *