Register your Azure Stack HCI cluster with reduced permissions

We are happy to announce several improvements to the HCI cluster registration experience. These improvements are based on community feedback and survey results.

Relaxed permission requirements at both Azure Tenant and subscription level: As a user registering the cluster, now you don’t need any privileges at the tenant-level, we have also reduced the permissions at the subscription level, hence reducing the impact in case of any security breach or user error.

Azure Permissions	Previously	Now
Tenant Level	"microsoft.directory/applications/createAsOwner", "microsoft.directory/applications/delete", "microsoft.directory/applications/standard/read", "microsoft.directory/applications/credentials/update", "microsoft.directory/applications/permissions/update", "microsoft.directory/servicePrincipals/appRoleAssignedTo/update", "microsoft.directory/servicePrincipals/appRoleAssignedTo/read", "microsoft.directory/servicePrincipals/appRoleAssignments/read", "microsoft.directory/servicePrincipals/createAsOwner", "microsoft.directory/servicePrincipals/credentials/update", "microsoft.directory/servicePrincipals/permissions/update", "microsoft.directory/servicePrincipals/standard/read", "microsoft.directory/servicePrincipals/managePermissionGrantsForAll.AzSHCI-registration-consent-policy"	Not Required
Subscription Level	"Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/subscriptions/resourceGroups/write", "Microsoft.Resources/subscriptions/resourceGroups/delete", "Microsoft.AzureStackHCI/register/action", "Microsoft.AzureStackHCI/Unregister/Action", "Microsoft.AzureStackHCI/clusters/*", "Microsoft.Authorization/roleAssignments/write", "Microsoft.HybridCompute/register/action", "Microsoft.GuestConfiguration/register/action", "Microsoft.HybridConnectivity/register/action"	"Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.AzureStackHCI/register/action", "Microsoft.AzureStackHCI/Unregister/Action", "Microsoft.AzureStackHCI/clusters/*", "Microsoft.Authorization/roleAssignments/write", "Microsoft.HybridCompute/register/action", "Microsoft.GuestConfiguration/register/action", "Microsoft.HybridConnectivity/register/action"

More flexibility with resource group creation: Previously we only allowed the user to specify the resource group for HCI cluster resource, but now you can also specify the resource group information for the Arc for server resources.

For more detailed information, please see our documentation: Connect Azure Stack HCI to Azure - Azure Stack HCI | Microsoft Docs

We hope these registration improvements will make your registration experience smoother, quicker, and more productive. We are always open to feedback; you can comment on this blog or reach out to me directly.

Future Plans

We plan to improve this workflow further by providing:

More flexibility with resource creation, move, delete, and tagging
Update workflows for extensions
Creation of a more restrictive custom permission role
Prechecks for registration workflow

Published on: June 07, 2022

Learn more

Azure Stack Blog articles

Learn more

Register your Azure Stack HCI cluster with reduced permissions

Related posts

Accelerate Your Cosmos DB Infrastructure with GitHub Copilot CLI and Azure Cosmos DB Agent Kit

Accelerate Your Cosmos DB Infrastructure with GitHub Copilot CLI and Azure Cosmos DB Agent Kit

Instant Access Snapshots for Azure Ultra Disk & Premium SSD v2 | Technical Demo

SharePoint: Migrate the Maps web part to Azure Maps

Microsoft Azure Maia 200: Scott Guthrie EVP

Azure Cosmos DB TV Recap: Supercharging AI Agents with the Azure Cosmos DB MCP Toolkit (Ep. 110)

Introducing the Azure Cosmos DB Agent Kit: Your AI Pair Programmer Just Got Smarter

Azure Ultra Disk: Experience next-generation performance for mission-critical workloads

How to back up on-premises Windows VMs to Azure

Microsoft Ignite 2025: Veeam and Azure Storage on entering a new era of data security