Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: Azure Local 2311.2 and later
This article describes how to set up the required permissions on your subscription to deploy Azure Local.
Prerequisites
Azure Local machine prerequisites
- Complete prerequisites and complete deployment checklist for your environment.
- Prepare Active Directory environment.
- Download the software and Install the Azure Stack HCI operating system, version 23H2 on each machine.
Azure prerequisites
Register required resource providers. Make sure that your Azure subscription is registered against the required resource providers. To register, you must be an owner or contributor on your subscription. You can also ask an administrator to register.
Run the following PowerShell commands to register:
Register-AzResourceProvider -ProviderNamespace "Microsoft.HybridCompute" Register-AzResourceProvider -ProviderNamespace "Microsoft.GuestConfiguration" Register-AzResourceProvider -ProviderNamespace "Microsoft.HybridConnectivity" Register-AzResourceProvider -ProviderNamespace "Microsoft.AzureStackHCI" Register-AzResourceProvider -ProviderNamespace "Microsoft.Kubernetes" Register-AzResourceProvider -ProviderNamespace "Microsoft.KubernetesConfiguration" Register-AzResourceProvider -ProviderNamespace "Microsoft.ExtendedLocation" Register-AzResourceProvider -ProviderNamespace "Microsoft.ResourceConnector" Register-AzResourceProvider -ProviderNamespace "Microsoft.HybridContainerService" Register-AzResourceProvider -ProviderNamespace "Microsoft.Attestation" Register-AzResourceProvider -ProviderNamespace "Microsoft.Storage" Register-AzResourceProvider -ProviderNamespace "Microsoft.Insights"Note
- The assumption is that the person registering the Azure subscription with the resource providers is a different person than the one who is registering the Azure Local machines with Arc.
Microsoft.Insightsresource provider is required for monitoring and logging. If this RP is not registered, the diagnostic account and Key Vault audit logging fails during validation.
Create a resource group. Follow the steps to Create a resource group where you want to register your machines. Make a note of the resource group name and the associated subscription ID.
Get the tenant ID. Follow the steps in Get the tenant ID of your Microsoft Entra tenant through the Azure portal:
In the Azure portal, go to Microsoft Entra ID > Properties.
Scroll down to the Tenant ID section and copy the Tenant ID value to use later.
Verify permissions. As you register machines as Arc resources, make sure that you're either the resource group owner or have the following permissions on the resource group where the machines are provisioned:
Azure Connected Machine Onboarding.Azure Connected Machine Resource Administrator.
To verify that you have these roles, follow these steps in the Azure portal:
Go to the subscription you used for the Azure Local deployment.
Go to the resource group where you plan to register the machine.
In the left-pane, go to Access Control (IAM).
In the right-pane, go to Role assignments. Verify that you have
Azure Connected Machine OnboardingandAzure Connected Machine Resource Administratorroles assigned.
Check your Azure policies. Make sure that:
- The Azure policies aren't blocking the installation of extensions.
- The Azure policies aren't blocking the creation of certain resource types in a resource group.
- The Azure policies aren't blocking the resource deployment in certain locations.
Assign Azure permissions for deployment
Follow these steps to assign Azure permissions for deployment from the Azure portal.
In the Azure portal, go to the subscription used to register the machines. In the left pane, select Access control (IAM). In the right pane, select + Add and from the dropdown list, select Add role assignment.
Go through the tabs and assign the following role permissions to the user who deploys the instance:
- Azure Stack HCI Administrator
- Reader
In the Azure portal, go to the resource group used to register the machines on your subscription. In the left pane, select Access control (IAM). In the right pane, select + Add and from the dropdown list, select Add role assignment.
Go through the tabs and assign the following permissions to the user who deploys the instance:
- Key Vault Data Access Administrator: This permission is required to manage data plane permissions to the key vault used for deployment.
- Key Vault Secrets Officer: This permission is required to read and write secrets in the key vault used for deployment.
- Key Vault Contributor: This permission is required to create the key vault used for deployment.
- Storage Account Contributor: This permission is required to create the storage account used for deployment.
In the right pane, go to Role assignments. Verify that the deployment user has all the configured roles.
In the Azure portal, go to Microsoft Entra Roles and Administrators and assign the Cloud Application Administrator role permission at the Microsoft Entra tenant level.
Note
The Cloud Application Administrator permission is temporarily needed to create the service principal. After deployment, this permission can be removed.
Next steps
After setting up the subscription permissions, you can register your Azure Local machines with Azure Arc.