Azure Landing Zones Documentation
Home GitHub Issue Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Azure Landing Zones Documentation
  2. /
  3. Terraform
  4. /
  5. Subscription Vending
  6. /
  7. Permissions
Edit page

Permissions

Permissions required

This module now uses a single provider - AzAPI. See provider configuration for more information.

Subscription sub-module

The identity used must have permission to:

  • Create subscriptions using the Microsoft.Subscription/aliases resource. See the documentation for details.

Note: The following process explains how to assign EA roles to SPNs.

  • Manage the subscription’s management group using the Microsoft.Management/managementGroups resource. For a detailed explanation of the permissions required, see the documentation.

Note: the identity that creates the subscription will have Owner permissions assigned by default. If you instead supply an existing subscription id, you must ensure that the identity of the provider has the Owner permissions assigned.

Virtual network sub-module

This sub-module manages the following resources using the AzAPI provider:

These resources are deployed into the new or the supplied subscription. The identity of the AzAPI provider must have permission to create these resources.

Hub virtual network peering

The identity assigned to the AzAPI provider must also have the following permissions on hub networks to create virtual network peerings. We recommend that you create a custom role in order to maintain the least privilege principle.

ActionName
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/writeRequired to create a peering from the supplied hub network.
Microsoft.Network/virtualNetworks/peer/actionRequired to create a peering from the supplied hub network.
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/readRead a virtual network peering
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/deleteDelete a virtual network peering

See the documentation for more information.

Azure vWAN hub virtual network connection

The identity assigned to the AzAPI provider must also have the following permissions on hub networks to create virtual network connections. We recommend that you create a custom role in order to maintain the least privilege principle.

TBC

Role assignments sub-module

This sub-module manages role assignment resources using the AzAPI provider.

The role assignments are deployed into either the new or the supplied subscription, at subscription or child scopes. The identity of the provider must have permission to create these resources, typically this means having the Owner or User Access Administrator roles.

gdoc_arrow_left_alt Subscription Vending Provider Configuration gdoc_arrow_right_alt