Part of our Power BI Consulting services that we offer, we have clients where development is done on our side, and our standards dictate that to use an Azure Virtual Machine in the region the client resides, so all the data is kept in a virtual machine in the cloud.

Here’s I’ll be sharing steps that I took to set up the permission to allow one of our team members to start and stop a virtual machine using his own credentials.

Using PowerShell we logged in to the Azure portal using az login command and executed the command below

az role definition create –role-definition C:\users\Emil\Downloads\StartStop.json

Here is the content of the json file

{
  "Name": "Virtual Machine Operator",
  "IsCustom": true,
  "Description": "Can deallocate, start  and restart virtual machines.",
  "Actions": [
    "Microsoft.Network/*/read",
    "Microsoft.Compute/*/read",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Compute/virtualMachines/deallocate/action"
  ],
  "NotActions": [


  ],
  "AssignableScopes": [
    "/subscriptions/mysubscriptionid"
  ]
}

The command creates a new role definition called “Virtual Machine Operator” with permitted actions.

After that I went to Azure Portal, selected specific virtual machine I wanted to give permission to my team member, clicked “Access Control (IAM)” clicked “Add // Add Role Assignment” on the right side I selected role which is in our case “Virtual Machine Operator” (created using powershell) and selected a user and clicked save button.

We tried that with my team member and he was able to successfully start and stop a virtual machine so the permission worked fine.

One things that didn’t work was the option connect which come up with an error “You do not have permissions to view network interface with ID…”. This problem was resolved by changing public IP address to static IP address.

Take care

Emil

%d bloggers like this: