Loading...
D365Hub logo D365Hub

Register your Azure Stack HCI cluster with reduced permissions

Register your Azure Stack HCI cluster with reduced permissions

We are happy to announce several improvements to the HCI cluster registration experience. These improvements are based on community feedback and survey results.

 

Relaxed permission requirements at both Azure Tenant and subscription level: As a user registering the cluster, now you don’t need any privileges at the tenant-level, we have also reduced the permissions at the subscription level, hence reducing the impact in case of any security breach or user error.

 

Azure Permissions Previously Now
Tenant Level
  1. "microsoft.directory/applications/createAsOwner",
  2. "microsoft.directory/applications/delete",
  3. "microsoft.directory/applications/standard/read",
  4. "microsoft.directory/applications/credentials/update",
  5. "microsoft.directory/applications/permissions/update",
  6. "microsoft.directory/servicePrincipals/appRoleAssignedTo/update",
  7.  "microsoft.directory/servicePrincipals/appRoleAssignedTo/read",
  8. "microsoft.directory/servicePrincipals/appRoleAssignments/read",
  9. "microsoft.directory/servicePrincipals/createAsOwner",
  10. "microsoft.directory/servicePrincipals/credentials/update",
  11. "microsoft.directory/servicePrincipals/permissions/update",
  12. "microsoft.directory/servicePrincipals/standard/read",
  13. "microsoft.directory/servicePrincipals/managePermissionGrantsForAll.AzSHCI-registration-consent-policy" 
 Not Required
Subscription Level
  1. "Microsoft.Resources/subscriptions/resourceGroups/read",
  2. "Microsoft.Resources/subscriptions/resourceGroups/write",
  3. "Microsoft.Resources/subscriptions/resourceGroups/delete",
  4. "Microsoft.AzureStackHCI/register/action",
  5. "Microsoft.AzureStackHCI/Unregister/Action",
  6. "Microsoft.AzureStackHCI/clusters/*",
  7. "Microsoft.Authorization/roleAssignments/write",
  8. "Microsoft.HybridCompute/register/action",
  9. "Microsoft.GuestConfiguration/register/action",
  10. "Microsoft.HybridConnectivity/register/action"
  1. "Microsoft.Resources/subscriptions/resourceGroups/read",
  2. "Microsoft.AzureStackHCI/register/action",
  3. "Microsoft.AzureStackHCI/Unregister/Action",
  4. "Microsoft.AzureStackHCI/clusters/*",
  5. "Microsoft.Authorization/roleAssignments/write",
  6. "Microsoft.HybridCompute/register/action",
  7. "Microsoft.GuestConfiguration/register/action",
  8. "Microsoft.HybridConnectivity/register/action"

 

More flexibility with resource group creation: Previously we only allowed the user to specify the resource group for HCI cluster resource, but now you can also specify the resource group information for the Arc for server resources.

 

For more detailed information, please see our documentation: Connect Azure Stack HCI to Azure - Azure Stack HCI | Microsoft Docs

 

We hope these registration improvements will make your registration experience smoother, quicker, and more productive. We are always open to feedback; you can comment on this blog or reach out to me directly.

 

Future Plans

We plan to improve this workflow further by providing:

  • More flexibility with resource creation, move, delete, and tagging
  • Update workflows for extensions
  • Creation of a more restrictive custom permission role
  • Prechecks for registration workflow

 

Published on:

Learn more
Azure Stack Blog articles
Azure Stack Blog articles

Azure Stack Blog articles

Share post:

Related posts

Microsoft Purview: Data Lifecycle Management- Azure PST Import

Azure PST Import is a migration method that enables PST files stored in Azure Blob Storage to be imported directly into Exchange Online mailbo...

3 days ago

How Snowflake scales with Azure IaaS

4 days ago

Scaling cyber resiliency in Azure with Illumio

4 days ago

Microsoft Rewards: Retirement of Azure AD Account Linking

Microsoft is retiring the Azure AD Account Linking feature for Microsoft Rewards by March 19, 2026. Users can no longer link work accounts to ...

4 days ago

Azure Function to scrape Yahoo data and store it in SharePoint

A couple of weeks ago, I learned about an AI Agent from this Microsoft DevBlogs, which mainly talks about building an AI Agent on top of Copil...

9 days ago

Maximize Azure Cosmos DB Performance with Azure Advisor Recommendations

In the first post of this series, we introduced how Azure Advisor helps Azure Cosmos DB users uncover opportunities to optimize efficiency and...

12 days ago

February Patches for Azure DevOps Server

We are releasing patches for our self‑hosted product, Azure DevOps Server. We strongly recommend that all customers stay on the latest, most s...

13 days ago

Building AI-Powered Apps with Azure Cosmos DB and the Vercel AI SDK

The Vercel AI SDK is an open-source TypeScript toolkit that provides the core building blocks for integrating AI into any JavaScript applicati...

13 days ago

Time Travel in Azure SQL with Temporal Tables

Applications often need to know what data looked like before. Who changed it, when it changed, and what the previous values were. Rebuilding t...

14 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy