Cloudapp account4/2/2023 ![]() It is required to validate the associated route table of the management subnet to ensure that the default route is configured correctly. This permission is required if the cluster outbound type selected for Horizon Edge is User defined routes. The permission is required to create the private endpoint resources. This permission is required when the Azure Private Link connectivity type is selected at the time that the Horizon Edge is created, and the management subnet has a route table attached. Microsoft.Network/routeTables/join/action to deploy and to add a public IP address to an image. Public IP permission is required to deploy a Horizon Edge instance with Unified Access Gateway instances behind a load balancer with a public IP address. Private Endpoint permissions are required to deploy Horizon Edge with Azure Private Link. Microsoft.Network/privateEndpoints/write Microsoft.Network/privateEndpoints/read This permission is required to validate that the management subnet's NAT gateway is, if present, correctly configured, when the cluster outbound type is selected as NAT gateway for Horizon Edge. This permission is required when the Azure Private Link connectivity type is selected at the time that the Horizon Edge is created, and the management subnet has a NAT gateway associated. Microsoft.Network/natGateways/join/action Key vault permissions are required for disk encryption of pool VMs. Microsoft.KeyVault/*/read Microsoft.KeyVault/vaults/* Microsoft.KeyVault/vaults/secrets/* Microsoft Azure Resource Operations that Are Optional in the Custom Role When Assigning Permissions at the Subscription Level Operation However, functionality in the Horizon Universal Console that relies on these optional permissions does not work if you do not include them. ![]() The following permissions are not mandatory for the deployment of Horizon Edge in Microsoft Azure. Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/subscriptions/resourceGroups/* ![]() Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read Microsoft.Network/virtualNetworks/subnets/* Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read Microsoft.Network/networkSecurityGroups/* Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read Microsoft.ManagedIdentity/userAssignedIdentities/*/read Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action Microsoft.ContainerService/managedClusters/upgradeProfiles/read Microsoft.ContainerService/managedClusters/runcommand/action Microsoft.ContainerService/managedClusters/commandResults/read Microsoft.ContainerService/managedClusters/write Microsoft.ContainerService/managedClusters/read Microsoft.Compute/virtualMachineScaleSets/* ![]() Microsoft.Compute/galleries/images/versions/* ![]() Microsoft Azure Resource Operations that Must Be Permitted in the Custom Role When Assigning Permissions at the Subscription Level Operation For details about the specific Microsoft Azure permissions listed on this page, see Azure resource provider operations. To create a custom role, use a tool, such as Azure PowerShell or Azure CLI and create a custom role definition that, at minimum, includes the mandatory permissions listed in this topic. The custom role has certain required and optional permissions that you must be aware of when you create a service principal. If you prefer to avoid the use of the Contributor role, you can create a custom role for this purpose. The Contributor role is commonly used to enable the Horizon Cloud app registration process to make API calls in the Microsoft Azure subscription. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |