Skip to main content
Version: Next

Phase 03: RBAC Permissions

Runbook Azure

DOCUMENT CATEGORY: Runbook SCOPE: Role-based access control configuration for Azure Local deployment PURPOSE: Create deployment SPN and assign required RBAC roles MASTER REFERENCE: Microsoft Learn - Azure RBAC

Status: Active Applies To: Phase 03 — Azure Foundation Last Updated: 2026-03-02

Table of Contents

Stage Details

Objective

Configure Role-Based Access Control (RBAC) permissions required for Azure Local deployment by creating a dedicated service principal and assigning the required roles for both portal-based and ARM template deployments.

Prerequisites

Azure Authentication Required

Before running any scripts in this phase, ensure you have an authenticated Azure session. See Authentication & Session Setup for options including Azure PowerShell, Azure CLI, and service principal authentication.

PrerequisiteDetails
Run AsUser Access Administrator at subscription level
Prior PhasePhase 02: Resource Providers completed
Azure SessionAuthenticated with Owner or User Access Administrator role
This Phase Enables the Permission Transition

Task 02 is the Permission Transition Point. After completing Task 02, the deployment SPN and deployment user will have the required RBAC roles. All subsequent phases can use deployment credentials instead of elevated admin.

Tasks

TaskDescriptionDurationRun As
Task 01: Create Deployment SPNCreate service principal for deployment automation10–15 minElevated Admin
Task 02: Assign RBAC RolesAssign required roles to SPN and deployment user5–10 minElevated Admin

Validation

  • Deployment service principal sp-azurelocal-deploy created in Entra ID
  • Service principal credentials stored in platform Key Vault
  • Subscription-level roles assigned: Contributor, User Access Administrator, Azure Stack HCI Administrator, Reader
  • Resource group-level roles assigned at cluster RG: Key Vault Data Access Administrator, Key Vault Secrets Officer, Key Vault Contributor, Storage Account Contributor, Azure Connected Machine Onboarding, Azure Connected Machine Resource Administrator

Outcome

Deployment service principal exists with all required RBAC permissions. All subsequent phases can authenticate using the deployment SPN instead of elevated admin credentials.

Required RBAC Roles

Azure Local deployment requires specific RBAC roles regardless of the deployment method. These roles enable Arc-enablement of machines, resource management, and Azure Local cluster operations.

Subscription-Level Roles

RolePurpose
ContributorCreate and manage Azure resources
User Access AdministratorManage RBAC role assignments
Azure Stack HCI AdministratorManage Azure Local cluster resources
ReaderView Azure resources and configurations

Resource Group-Level Roles

These roles are assigned at the Azure Local cluster resource group (e.g., rg-c01-azl-eus-01), not the platform Key Vault resource group.

RolePurpose
Key Vault Data Access AdministratorManage data plane permissions to deployment Key Vault
Key Vault Secrets OfficerRead and write secrets in deployment Key Vault
Key Vault ContributorCreate and manage Key Vault resources
Storage Account ContributorCreate storage accounts for deployment
Azure Connected Machine OnboardingRegister machines with Azure Arc
Azure Connected Machine Resource AdministratorManage Arc-enabled machine resources
Scope Is the Azure Local Cluster Resource Group

All resource group-level roles MUST be assigned at the cluster resource group:

/subscriptions/<subscription-id>/resourceGroups/<cluster-resource-group>

Example:

/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/rg-c01-azl-eus-01

IIC Example — Config Values

The following values from variables.yml are used during this phase:

variables.yml (IIC example)
azure:
 tenant_id: "12345678-1234-1234-1234-123456789012"
 subscriptions:
 lab:
 id: "00000000-1111-2222-3333-444444444444"
 name: "iic-lz-azurelocal-001"

azure_resources:
 resource_group_name: "rg-c01-azl-eus-01"

service_principal:
 name: "sp-azurelocal-deploy"
PreviousUpNext
Phase 02 — Resource ProvidersAzure Foundation IndexPhase 04 — Azure Management Infrastructure

Version Control

  • Created: 2026-01-15 by Azure Local Cloudnology Team
  • Last Updated: 2026-03-02 by Azure Local Cloudnology Team
  • Version: 2.0.0
  • Tags: azure-local, phase-03, rbac, service-principal
  • Keywords: RBAC, role assignment, service principal, sp-azurelocal-deploy
  • Author: Azure Local Cloudnology Team