Loading...
D365Hub logo D365Hub

Register your Azure Stack HCI cluster with reduced permissions

Register your Azure Stack HCI cluster with reduced permissions

We are happy to announce several improvements to the HCI cluster registration experience. These improvements are based on community feedback and survey results.

 

Relaxed permission requirements at both Azure Tenant and subscription level: As a user registering the cluster, now you don’t need any privileges at the tenant-level, we have also reduced the permissions at the subscription level, hence reducing the impact in case of any security breach or user error.

 

Azure Permissions Previously Now
Tenant Level
  1. "microsoft.directory/applications/createAsOwner",
  2. "microsoft.directory/applications/delete",
  3. "microsoft.directory/applications/standard/read",
  4. "microsoft.directory/applications/credentials/update",
  5. "microsoft.directory/applications/permissions/update",
  6. "microsoft.directory/servicePrincipals/appRoleAssignedTo/update",
  7.  "microsoft.directory/servicePrincipals/appRoleAssignedTo/read",
  8. "microsoft.directory/servicePrincipals/appRoleAssignments/read",
  9. "microsoft.directory/servicePrincipals/createAsOwner",
  10. "microsoft.directory/servicePrincipals/credentials/update",
  11. "microsoft.directory/servicePrincipals/permissions/update",
  12. "microsoft.directory/servicePrincipals/standard/read",
  13. "microsoft.directory/servicePrincipals/managePermissionGrantsForAll.AzSHCI-registration-consent-policy" 
 Not Required
Subscription Level
  1. "Microsoft.Resources/subscriptions/resourceGroups/read",
  2. "Microsoft.Resources/subscriptions/resourceGroups/write",
  3. "Microsoft.Resources/subscriptions/resourceGroups/delete",
  4. "Microsoft.AzureStackHCI/register/action",
  5. "Microsoft.AzureStackHCI/Unregister/Action",
  6. "Microsoft.AzureStackHCI/clusters/*",
  7. "Microsoft.Authorization/roleAssignments/write",
  8. "Microsoft.HybridCompute/register/action",
  9. "Microsoft.GuestConfiguration/register/action",
  10. "Microsoft.HybridConnectivity/register/action"
  1. "Microsoft.Resources/subscriptions/resourceGroups/read",
  2. "Microsoft.AzureStackHCI/register/action",
  3. "Microsoft.AzureStackHCI/Unregister/Action",
  4. "Microsoft.AzureStackHCI/clusters/*",
  5. "Microsoft.Authorization/roleAssignments/write",
  6. "Microsoft.HybridCompute/register/action",
  7. "Microsoft.GuestConfiguration/register/action",
  8. "Microsoft.HybridConnectivity/register/action"

 

More flexibility with resource group creation: Previously we only allowed the user to specify the resource group for HCI cluster resource, but now you can also specify the resource group information for the Arc for server resources.

 

For more detailed information, please see our documentation: Connect Azure Stack HCI to Azure - Azure Stack HCI | Microsoft Docs

 

We hope these registration improvements will make your registration experience smoother, quicker, and more productive. We are always open to feedback; you can comment on this blog or reach out to me directly.

 

Future Plans

We plan to improve this workflow further by providing:

  • More flexibility with resource creation, move, delete, and tagging
  • Update workflows for extensions
  • Creation of a more restrictive custom permission role
  • Prechecks for registration workflow

 

Published on:

Learn more
Azure Stack Blog articles
Azure Stack Blog articles

Azure Stack Blog articles

Share post:

Related posts

What’s New with Microsoft Foundry (formerly Azure AI Foundry) from Ignite 2025

Microsoft Ignite 2025 just wrapped up, and one of the biggest themes this year was the evolution of Azure AI Foundry, now simply called Micros...

1 day ago

Pantone’s Palette Generator enhances creative exploration with agentic AI on Azure

1 day ago

Microsoft Azure Key Vault HSM Animated Explainer

1 day ago

Microsoft Azure Hardware Security Module (HSM): Helping you with data security and sovereignty

1 day ago

Premier League drives deep fan connection with Microsoft Foundry and Azure Cosmos DB

1 day ago

Premier League drives deep fan connection with Microsoft Foundry and Azure Cosmos DB

2 days ago

Announcing: Dynamic Data Masking for Azure Cosmos DB (Preview)

Today marks a big step forward with the public preview of Dynamic Data Masking (DDM) for Azure Cosmos DB. This feature helps organizations pro...

3 days ago

Use Azure SRE Agent with Azure Cosmos DB: Smarter Diagnostics for Your Applications

We’re excited to announce the Azure Cosmos DB SRE Agent built on Azure SRE Agent; a new capability designed to simplify troubleshooting and im...

3 days ago

General Availability: Priority-Based Execution in Azure Cosmos DB

Have you ever faced a situation where two different workloads share the same container, and one ends up slowing down the other? This is a comm...

3 days ago

Announcing Preview of Online Copy Jobs in Azure Cosmos DB: Migrate Data with Minimal Downtime!

We are excited to announce the preview of Online Copy Jobs, a powerful new feature designed to make data migration between containers seamless...

3 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy