Loading...
D365Hub logo D365Hub

Register your Azure Stack HCI cluster with reduced permissions

Register your Azure Stack HCI cluster with reduced permissions

We are happy to announce several improvements to the HCI cluster registration experience. These improvements are based on community feedback and survey results.

 

Relaxed permission requirements at both Azure Tenant and subscription level: As a user registering the cluster, now you don’t need any privileges at the tenant-level, we have also reduced the permissions at the subscription level, hence reducing the impact in case of any security breach or user error.

 

Azure Permissions Previously Now
Tenant Level
  1. "microsoft.directory/applications/createAsOwner",
  2. "microsoft.directory/applications/delete",
  3. "microsoft.directory/applications/standard/read",
  4. "microsoft.directory/applications/credentials/update",
  5. "microsoft.directory/applications/permissions/update",
  6. "microsoft.directory/servicePrincipals/appRoleAssignedTo/update",
  7.  "microsoft.directory/servicePrincipals/appRoleAssignedTo/read",
  8. "microsoft.directory/servicePrincipals/appRoleAssignments/read",
  9. "microsoft.directory/servicePrincipals/createAsOwner",
  10. "microsoft.directory/servicePrincipals/credentials/update",
  11. "microsoft.directory/servicePrincipals/permissions/update",
  12. "microsoft.directory/servicePrincipals/standard/read",
  13. "microsoft.directory/servicePrincipals/managePermissionGrantsForAll.AzSHCI-registration-consent-policy" 
 Not Required
Subscription Level
  1. "Microsoft.Resources/subscriptions/resourceGroups/read",
  2. "Microsoft.Resources/subscriptions/resourceGroups/write",
  3. "Microsoft.Resources/subscriptions/resourceGroups/delete",
  4. "Microsoft.AzureStackHCI/register/action",
  5. "Microsoft.AzureStackHCI/Unregister/Action",
  6. "Microsoft.AzureStackHCI/clusters/*",
  7. "Microsoft.Authorization/roleAssignments/write",
  8. "Microsoft.HybridCompute/register/action",
  9. "Microsoft.GuestConfiguration/register/action",
  10. "Microsoft.HybridConnectivity/register/action"
  1. "Microsoft.Resources/subscriptions/resourceGroups/read",
  2. "Microsoft.AzureStackHCI/register/action",
  3. "Microsoft.AzureStackHCI/Unregister/Action",
  4. "Microsoft.AzureStackHCI/clusters/*",
  5. "Microsoft.Authorization/roleAssignments/write",
  6. "Microsoft.HybridCompute/register/action",
  7. "Microsoft.GuestConfiguration/register/action",
  8. "Microsoft.HybridConnectivity/register/action"

 

More flexibility with resource group creation: Previously we only allowed the user to specify the resource group for HCI cluster resource, but now you can also specify the resource group information for the Arc for server resources.

 

For more detailed information, please see our documentation: Connect Azure Stack HCI to Azure - Azure Stack HCI | Microsoft Docs

 

We hope these registration improvements will make your registration experience smoother, quicker, and more productive. We are always open to feedback; you can comment on this blog or reach out to me directly.

 

Future Plans

We plan to improve this workflow further by providing:

  • More flexibility with resource creation, move, delete, and tagging
  • Update workflows for extensions
  • Creation of a more restrictive custom permission role
  • Prechecks for registration workflow

 

Published on:

Learn more
Azure Stack Blog articles
Azure Stack Blog articles

Azure Stack Blog articles

Share post:

Related posts

How to Migrate Data from AWS S3 to Azure Blob | Free Cloud-to-Cloud with Azure Storage Mover

18 hours ago

How to Deploy High-Performance Storage for AKS | Free, Open-Source Azure Container Storage

18 hours ago

Semantic Reranking with Azure SQL, SQL Server 2025 and Cohere Rerank models

Supporting re‑ranking has been one of the most common requests lately. While not always essential, it can be a valuable addition to a solution...

1 day ago

How Azure Cosmos DB Powers ARM’s Federated Future: Scaling for the Next Billion Requests

The Cloud at Hyperscale: ARM’s Mission and Growth Azure Resource Manager (ARM) is the backbone of Azure’s resource provisioning and management...

1 day ago

Automating Business PDFs Using Azure Document Intelligence and Power Automate

In today’s data-driven enterprises, critical business information often arrives in the form of PDFs—bank statements, invoices, policy document...

17 days ago

Azure Developer CLI (azd) Dec 2025 – Extensions Enhancements, Foundry Rebranding, and Azure Pipelines Improvements

This post announces the December release of the Azure Developer CLI (`azd`). The post Azure Developer CLI (azd) Dec 2025 – Extensions En...

19 days ago

Replit and Microsoft Azure are putting software development in everyone’s hands

19 days ago

Unlock the power of distributed graph databases with JanusGraph and Azure Apache Cassandra

Connecting the Dots: How Graph Databases Drive Innovation In today’s data-rich world, organizations face challenges that go beyond simple tabl...

21 days ago

Azure Boards integration with GitHub Copilot

A few months ago we introduced the Azure Boards integration with GitHub Copilot in private preview. The goal was simple: allow teams to take a...

22 days ago

Microsoft Dataverse – Monitor batch workloads with Azure Monitor Application Insights

We are announcing the ability to monitor batch workload telemetry in Azure Monitor Application Insights for finance and operations apps in Mic...

23 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy