0

I am attempting to provide access to someone on my account using least-required access by creating an RBAC rule in Azure that gives the person the ability to manage, create, and delete networking resources.

However, when they attempt to delete the VNet integration of an existing function app, the option to disconnect the VNet integration is greyed out. They have the option to remove it when they have contributor access, but not with my custom role. I cannot find what permission they are missing. I could delete it myself, or give them contributor. But I do not want to do either of these, in order to get the correct RBAC policies working.

My custom role has many permissions including:

Microsoft.Network/*
Microsoft.ClassicNetwork/*
Microsoft.Network/virtualNetworks/*
Microsoft.Web/sites/networkConfig/read, write, delete
etc.

I'm clearly missing something but I don't know what permission is lacking to cause this.

VNet integration disconnect missing.

I have been adding more and more permissions to the role. Anything with a description that even mentions a private endpoint or virtual network. None have worked.

Full permission list:

"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/delete",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/write",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/read",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/read",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/write",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/delete",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/validate/action",
"Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/privateEndpoints/*",
"Microsoft.Storage/storageAccounts/privateEndpointConnections/*",
"Microsoft.Storage/storageAccounts/privateEndpointConnectionProxies/*",
"Microsoft.ApiManagement/gateways/read",
"Microsoft.ApiManagement/gateways/write",
"Microsoft.ApiManagement/gateways/delete",
"Microsoft.ApiManagement/gateways/configConnections/read",
"Microsoft.ApiManagement/gateways/configConnections/write",
"Microsoft.ApiManagement/gateways/configConnections/delete",
"Microsoft.ApiManagement/service/write",
"Microsoft.ApiManagement/service/read",
"Microsoft.ApiManagement/service/updatehostname/action",
"Microsoft.ApiManagement/service/updatecertificate/action",
"Microsoft.ApiManagement/service/backup/action",
"Microsoft.ApiManagement/service/managedeployments/action",
"Microsoft.ApiManagement/service/restore/action",
"Microsoft.ApiManagement/service/getssotoken/action",
"Microsoft.ApiManagement/service/applynetworkconfigurationupdates/action",
"Microsoft.ApiManagement/service/scheduledMaintenance/action",
"Microsoft.ApiManagement/service/users/action",
"Microsoft.ApiManagement/service/validatePolicies/action",
"Microsoft.ApiManagement/operations/read",
"Microsoft.ApiManagement/locations/operationsStatuses/read",
"Microsoft.ApiManagement/checkNameAvailability/read",
"Microsoft.ApiManagement/reports/read",
"Microsoft.ApiManagement/service/privateEndpointConnectionProxies/read",
"Microsoft.ApiManagement/service/privateEndpointConnectionProxies/write",
"Microsoft.ApiManagement/service/privateEndpointConnectionProxies/delete",
"Microsoft.ApiManagement/service/privateEndpointConnectionProxies/validate/action",
"Microsoft.ApiManagement/service/privateEndpointConnectionProxies/operationresults/read",
"Microsoft.ApiManagement/service/privateEndpointConnections/read",
"Microsoft.ApiManagement/service/privateEndpointConnections/write",
"Microsoft.ApiManagement/service/privateEndpointConnections/delete",
"Microsoft.ApiManagement/service/privateLinkResources/read",
"Microsoft.ApiManagement/service/tenants/apis/products/read",
"Microsoft.ApiManagement/service/tenants/apis/diagnostics/read",
"Microsoft.ApiManagement/service/tenants/apis/operations/read",
"Microsoft.ApiManagement/service/tenants/apis/operations/write",
"Microsoft.ApiManagement/service/tenants/apis/operations/policies/read",
"Microsoft.ApiManagement/service/tenants/apis/operations/policies/write",
"Microsoft.ApiManagement/service/tenants/apis/operations/tags/read",
"Microsoft.ApiManagement/service/tenants/apis/operations/tags/write",
"Microsoft.ApiManagement/service/tenants/apis/operations/tags/delete",
"Microsoft.ApiManagement/service/tenants/apis/policies/read",
"Microsoft.ApiManagement/service/tenants/apis/policies/write",
"Microsoft.ApiManagement/service/tenants/apis/tags/read",
"Microsoft.ApiManagement/service/tenants/apis/tags/write",
"Microsoft.ApiManagement/service/tenants/apis/tags/delete",
"Microsoft.ApiManagement/service/apis/read",
"Microsoft.ApiManagement/service/apis/write",
"Microsoft.Web/sites/Read",
"microsoft.web/sites/networkConfig/read",
"microsoft.web/sites/networkConfig/write",
"microsoft.web/sites/networkConfig/delete",
"microsoft.web/sites/analyzecustomhostname/read",
"microsoft.web/sites/providers/Microsoft.Insights/diagnosticSettings/read",
"microsoft.web/sites/hostruntime/functions/keys/read",
"microsoft.web/sites/hostruntime/host/read",
"Microsoft.Web/sites/hostruntime/host/_master/read",
"microsoft.web/sites/hostruntime/webhooks/api/workflows/runs/read",
"Microsoft.Web/sites/config/Read",
"Microsoft.Web/sites/config/list/Action",
"Microsoft.Web/sites/config/Write",
"microsoft.web/sites/config/delete",
"microsoft.web/sites/config/web/appsettings/read",
"microsoft.web/sites/config/web/appsettings/write",
"microsoft.web/sites/config/web/appsettings/delete",
"microsoft.web/sites/config/web/connectionstrings/read",
"microsoft.web/sites/config/web/connectionstrings/write",
"microsoft.web/sites/config/web/connectionstrings/delete",
"microsoft.web/sites/config/appsettings/read",
"Microsoft.Web/sites/privateEndpointConnections/Write",
"Microsoft.Web/sites/privateEndpointConnections/Read",
"Microsoft.Web/sites/privateEndpointConnections/Delete",
"Microsoft.Web/sites/privateLinkResources/Read",
"Microsoft.Web/sites/sourcecontrols/Read",
"Microsoft.Web/sites/sourcecontrols/Write",
"Microsoft.Web/sites/sourcecontrols/Delete",
"Microsoft.Web/sites/privateEndpointConnectionProxies/Read",
"Microsoft.Web/sites/privateEndpointConnectionProxies/Write",
"Microsoft.Web/sites/privateEndpointConnectionProxies/Delete",
"Microsoft.Web/sites/privateEndpointConnectionProxies/validate/action",
"Microsoft.Web/sites/privateEndpointConnectionProxies/operations/Read",
"microsoft.web/sites/slots/networkConfig/read",
"microsoft.web/sites/slots/networkConfig/write",
"microsoft.web/sites/slots/config/appsettings/read",
"microsoft.web/sites/slots/config/web/appsettings/delete",
"microsoft.web/sites/slots/config/web/connectionstrings/read",
"microsoft.web/sites/slots/config/web/connectionstrings/write",
"microsoft.web/sites/slots/config/web/connectionstrings/delete",
"Microsoft.StorageActions/operations/read",
"Microsoft.Storage/register/action",
"Microsoft.Storage/locations/checknameavailability/read",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/privateEndpoints/move/action",
"Microsoft.Storage/storageAccounts/privateEndpointConnections/read",
"Microsoft.Storage/storageAccounts/privateEndpointConnections/delete",
"Microsoft.Storage/storageAccounts/privateEndpointConnections/write",
"Microsoft.Storage/storageAccounts/privateEndpointConnectionProxies/read",
"Microsoft.Storage/storageAccounts/privateEndpointConnectionProxies/updatePrivateEndpointProperties/action",
"Microsoft.Storage/storageAccounts/privateEndpointConnectionProxies/write",
"Microsoft.Storage/storageAccounts/privateEndpointConnectionProxies/delete",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/locations/deleteVirtualNetworkOrSubnets/action",
"Microsoft.Storage/locations/notifyNetworkSecurityPerimeterUpdatesAvailable/action",
"Microsoft.Storage/locations/previewActions/action",
"Microsoft.Storage/locations/usages/read",
"Microsoft.Storage/checknameavailability/read",
"Microsoft.Storage/operations/read",
"Microsoft.Storage/skus/read",
"microsoft.web/sites/functions/action",
"Microsoft.Web/staticSites/functions/Read",
"Microsoft.Web/staticSites/builds/userProvidedFunctionApps/Delete",
"Microsoft.Web/serverfarms/Read",
"Microsoft.Web/serverfarms/Delete",
"Microsoft.Web/serverfarms/Write",
"Microsoft.Web/serverfarms/Join/Action",
"Microsoft.Web/serverfarms/restartSites/Action",
"microsoft.web/serverfarms/virtualnetworkconnections/read",
"microsoft.web/serverfarms/virtualnetworkconnections/gateways/write",
"microsoft.web/serverfarms/virtualnetworkconnections/routes/delete",
"microsoft.web/serverfarms/virtualnetworkconnections/routes/read",
"microsoft.web/serverfarms/sites/read",
"microsoft.web/serverfarms/virtualnetworkconnections/routes/write",
"Microsoft.Web/sites/start/Action",
"Microsoft.Web/sites/restart/Action",
"Microsoft.Web/sites/publish/Action",
"Microsoft.Web/sites/PrivateEndpointConnectionsApproval/action",
"microsoft.web/sites/deployWorkflowArtifacts/action",
"microsoft.web/sites/listworkflowsconnections/action",
"microsoft.web/sites/slots/networkConfig/delete",
"Microsoft.Web/sites/slots/config/Read",
"Microsoft.Web/sites/slots/config/list/Action",
"Microsoft.Web/sites/slots/config/Write",
"microsoft.web/sites/slots/config/delete",
"microsoft.web/sites/slots/config/validateupgradepath/action",
"microsoft.web/locations/deleteVirtualNetworkOrSubnets/action",
"microsoft.web/locations/validateDeleteVirtualNetworkOrSubnets/action",
"microsoft.web/sites/slots/virtualnetworkconnections/delete",
"microsoft.web/sites/slots/virtualnetworkconnections/read",
"microsoft.web/sites/slots/virtualnetworkconnections/write",
"microsoft.web/sites/slots/virtualnetworkconnections/gateways/write",
"microsoft.web/sites/virtualnetworkconnections/delete",
"microsoft.web/sites/virtualnetworkconnections/read",
"microsoft.web/sites/virtualnetworkconnections/write",
"microsoft.web/sites/virtualnetworkconnections/gateways/read",
"microsoft.web/sites/virtualnetworkconnections/gateways/write",
"Microsoft.ClassicNetwork/virtualNetworks/read",
"Microsoft.ClassicNetwork/virtualNetworks/write",
"Microsoft.ClassicNetwork/virtualNetworks/delete",
"Microsoft.ClassicNetwork/virtualNetworks/peer/action",
"Microsoft.ClassicNetwork/virtualNetworks/join/action",
"Microsoft.ClassicNetwork/virtualNetworks/checkIPAddressAvailability/action",
"Microsoft.ClassicNetwork/virtualNetworks/validateMigration/action",
"Microsoft.ClassicNetwork/virtualNetworks/prepareMigration/action",
"Microsoft.ClassicNetwork/virtualNetworks/commitMigration/action",
"Microsoft.ClassicNetwork/virtualNetworks/abortMigration/action",
"Microsoft.ClassicNetwork/virtualNetworks/capabilities/read",
"Microsoft.ClassicNetwork/virtualNetworks/subnets/associatedNetworkSecurityGroups/read",
"Microsoft.ClassicNetwork/virtualNetworks/subnets/associatedNetworkSecurityGroups/write",
"Microsoft.ClassicNetwork/virtualNetworks/subnets/associatedNetworkSecurityGroups/delete",
"Microsoft.ClassicNetwork/virtualNetworks/subnets/associatedNetworkSecurityGroups/operationStatuses/read",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/read",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/write",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/delete",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/startDiagnostics/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/stopDiagnostics/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/downloadDiagnostics/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/listCircuitServiceKey/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/downloadDeviceConfigurationScript/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/listPackage/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/connections/read",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/connections/connect/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/connections/disconnect/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/connections/test/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRootCertificates/read",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRootCertificates/write",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRootCertificates/delete",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRootCertificates/download/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRootCertificates/listPackage/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRevokedCertificates/read",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRevokedCertificates/write",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRevokedCertificates/delete",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/packages/read",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/operationStatuses/read",
"Microsoft.ClassicNetwork/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.ClassicNetwork/virtualNetworks/operationStatuses/read",
"Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies/read",
"Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies/write",
"Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies/delete",
"Microsoft.HybridNetwork/locations/vendors/networkFunctions/read",
"Microsoft.Authorization/policyAssignments/privateLinkAssociations/read",
"Microsoft.Authorization/policyAssignments/privateLinkAssociations/write",
"Microsoft.Authorization/policyAssignments/privateLinkAssociations/delete",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/read",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/write",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/delete",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/blobServices/write"
Improve this question
0

2 Answers 2

Reset to default
0

The minimum permissions you need to remove VNet integration are:

  1. Microsoft.Web/sites/networkConfig/*
  2. Microsoft.Network/virtualNetworks/read
  3. Microsoft.Network/virtualNetworks/subnets/read
  4. Microsoft.Network/virtualNetworks/subnets/join/action

Your custom role can be refined significantly, since you have Microsoft.Network/*, for example. This covers all subcategories of network permissions, so, either explicitly specifying the granular permissions is duplication, or using the asterisk is over-permissioning.

Since your role appears to include these, in one way or another, make sure that the user has been assigned the role at scopes encompassing both the App Service Plan / Function App, and the VNet which is currently integrated.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

This is not enough permissions. I am assigning the role at the subscription scope, covering the entire set of resources. When I assign the contributor role to the user, they can remove the VNet. But when I assign this role, it doesn't work. I have tested it several times, waiting an hour each time after a change.
@ShadChristopherson Could you open the cloud shell in the portal as the user in question, and try this: az functionapp vnet-integration remove --name <functionAppName> --resource-group <resourceGroupName>
That code did work to delete the VNet integration. I can only assume this means the permission error is with some kind of portal access permission being missing, as opposed to a networking permission.
Yes. I expect the Portal Web frontend is expecting different permissions to activate the controls on the page than those explicitly required to carry out the actions on the Graph API. I can only stab at a guess of this being Microsoft.Web/sites/config/write, but your permissions seem to include that. It may be worth opening a support case with MS, explaining you have permissions to perform task in Graph but the UI controls are disabled in Portal.
0

They need to remove it from the function app page not from the ASP neither from the vnet. Or as @Jamie said via az cli or powershell commands.

Improve this answer

1 Comment

With the Contributor role, they are able to delete the integration from here. It isn't a problem with being in the wrong place.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.