I am attempting to provide access to someone on my account using least-required access by creating an RBAC rule in Azure that gives the person the ability to manage, create, and delete networking resources.
However, when they attempt to delete the VNet integration of an existing function app, the option to disconnect the VNet integration is greyed out. They have the option to remove it when they have contributor access, but not with my custom role. I cannot find what permission they are missing. I could delete it myself, or give them contributor. But I do not want to do either of these, in order to get the correct RBAC policies working.
My custom role has many permissions including:
Microsoft.Network/*
Microsoft.ClassicNetwork/*
Microsoft.Network/virtualNetworks/*
Microsoft.Web/sites/networkConfig/read, write, delete
etc.
I’m clearly missing something but I don’t know what permission is lacking to cause this.
VNet integration disconnect missing.
I have been adding more and more permissions to the role. Anything with a description that even mentions a private endpoint or virtual network. None have worked.
Full permission list:
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/delete",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/write",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/read",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/read",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/write",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/delete",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/validate/action",
"Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/privateEndpoints/*",
"Microsoft.Storage/storageAccounts/privateEndpointConnections/*",
"Microsoft.Storage/storageAccounts/privateEndpointConnectionProxies/*",
"Microsoft.ApiManagement/gateways/read",
"Microsoft.ApiManagement/gateways/write",
"Microsoft.ApiManagement/gateways/delete",
"Microsoft.ApiManagement/gateways/configConnections/read",
"Microsoft.ApiManagement/gateways/configConnections/write",
"Microsoft.ApiManagement/gateways/configConnections/delete",
"Microsoft.ApiManagement/service/write",
"Microsoft.ApiManagement/service/read",
"Microsoft.ApiManagement/service/updatehostname/action",
"Microsoft.ApiManagement/service/updatecertificate/action",
"Microsoft.ApiManagement/service/backup/action",
"Microsoft.ApiManagement/service/managedeployments/action",
"Microsoft.ApiManagement/service/restore/action",
"Microsoft.ApiManagement/service/getssotoken/action",
"Microsoft.ApiManagement/service/applynetworkconfigurationupdates/action",
"Microsoft.ApiManagement/service/scheduledMaintenance/action",
"Microsoft.ApiManagement/service/users/action",
"Microsoft.ApiManagement/service/validatePolicies/action",
"Microsoft.ApiManagement/operations/read",
"Microsoft.ApiManagement/locations/operationsStatuses/read",
"Microsoft.ApiManagement/checkNameAvailability/read",
"Microsoft.ApiManagement/reports/read",
"Microsoft.ApiManagement/service/privateEndpointConnectionProxies/read",
"Microsoft.ApiManagement/service/privateEndpointConnectionProxies/write",
"Microsoft.ApiManagement/service/privateEndpointConnectionProxies/delete",
"Microsoft.ApiManagement/service/privateEndpointConnectionProxies/validate/action",
"Microsoft.ApiManagement/service/privateEndpointConnectionProxies/operationresults/read",
"Microsoft.ApiManagement/service/privateEndpointConnections/read",
"Microsoft.ApiManagement/service/privateEndpointConnections/write",
"Microsoft.ApiManagement/service/privateEndpointConnections/delete",
"Microsoft.ApiManagement/service/privateLinkResources/read",
"Microsoft.ApiManagement/service/tenants/apis/products/read",
"Microsoft.ApiManagement/service/tenants/apis/diagnostics/read",
"Microsoft.ApiManagement/service/tenants/apis/operations/read",
"Microsoft.ApiManagement/service/tenants/apis/operations/write",
"Microsoft.ApiManagement/service/tenants/apis/operations/policies/read",
"Microsoft.ApiManagement/service/tenants/apis/operations/policies/write",
"Microsoft.ApiManagement/service/tenants/apis/operations/tags/read",
"Microsoft.ApiManagement/service/tenants/apis/operations/tags/write",
"Microsoft.ApiManagement/service/tenants/apis/operations/tags/delete",
"Microsoft.ApiManagement/service/tenants/apis/policies/read",
"Microsoft.ApiManagement/service/tenants/apis/policies/write",
"Microsoft.ApiManagement/service/tenants/apis/tags/read",
"Microsoft.ApiManagement/service/tenants/apis/tags/write",
"Microsoft.ApiManagement/service/tenants/apis/tags/delete",
"Microsoft.ApiManagement/service/apis/read",
"Microsoft.ApiManagement/service/apis/write",
"Microsoft.Web/sites/Read",
"microsoft.web/sites/networkConfig/read",
"microsoft.web/sites/networkConfig/write",
"microsoft.web/sites/networkConfig/delete",
"microsoft.web/sites/analyzecustomhostname/read",
"microsoft.web/sites/providers/Microsoft.Insights/diagnosticSettings/read",
"microsoft.web/sites/hostruntime/functions/keys/read",
"microsoft.web/sites/hostruntime/host/read",
"Microsoft.Web/sites/hostruntime/host/_master/read",
"microsoft.web/sites/hostruntime/webhooks/api/workflows/runs/read",
"Microsoft.Web/sites/config/Read",
"Microsoft.Web/sites/config/list/Action",
"Microsoft.Web/sites/config/Write",
"microsoft.web/sites/config/delete",
"microsoft.web/sites/config/web/appsettings/read",
"microsoft.web/sites/config/web/appsettings/write",
"microsoft.web/sites/config/web/appsettings/delete",
"microsoft.web/sites/config/web/connectionstrings/read",
"microsoft.web/sites/config/web/connectionstrings/write",
"microsoft.web/sites/config/web/connectionstrings/delete",
"microsoft.web/sites/config/appsettings/read",
"Microsoft.Web/sites/privateEndpointConnections/Write",
"Microsoft.Web/sites/privateEndpointConnections/Read",
"Microsoft.Web/sites/privateEndpointConnections/Delete",
"Microsoft.Web/sites/privateLinkResources/Read",
"Microsoft.Web/sites/sourcecontrols/Read",
"Microsoft.Web/sites/sourcecontrols/Write",
"Microsoft.Web/sites/sourcecontrols/Delete",
"Microsoft.Web/sites/privateEndpointConnectionProxies/Read",
"Microsoft.Web/sites/privateEndpointConnectionProxies/Write",
"Microsoft.Web/sites/privateEndpointConnectionProxies/Delete",
"Microsoft.Web/sites/privateEndpointConnectionProxies/validate/action",
"Microsoft.Web/sites/privateEndpointConnectionProxies/operations/Read",
"microsoft.web/sites/slots/networkConfig/read",
"microsoft.web/sites/slots/networkConfig/write",
"microsoft.web/sites/slots/config/appsettings/read",
"microsoft.web/sites/slots/config/web/appsettings/delete",
"microsoft.web/sites/slots/config/web/connectionstrings/read",
"microsoft.web/sites/slots/config/web/connectionstrings/write",
"microsoft.web/sites/slots/config/web/connectionstrings/delete",
"Microsoft.StorageActions/operations/read",
"Microsoft.Storage/register/action",
"Microsoft.Storage/locations/checknameavailability/read",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/privateEndpoints/move/action",
"Microsoft.Storage/storageAccounts/privateEndpointConnections/read",
"Microsoft.Storage/storageAccounts/privateEndpointConnections/delete",
"Microsoft.Storage/storageAccounts/privateEndpointConnections/write",
"Microsoft.Storage/storageAccounts/privateEndpointConnectionProxies/read",
"Microsoft.Storage/storageAccounts/privateEndpointConnectionProxies/updatePrivateEndpointProperties/action",
"Microsoft.Storage/storageAccounts/privateEndpointConnectionProxies/write",
"Microsoft.Storage/storageAccounts/privateEndpointConnectionProxies/delete",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/locations/deleteVirtualNetworkOrSubnets/action",
"Microsoft.Storage/locations/notifyNetworkSecurityPerimeterUpdatesAvailable/action",
"Microsoft.Storage/locations/previewActions/action",
"Microsoft.Storage/locations/usages/read",
"Microsoft.Storage/checknameavailability/read",
"Microsoft.Storage/operations/read",
"Microsoft.Storage/skus/read",
"microsoft.web/sites/functions/action",
"Microsoft.Web/staticSites/functions/Read",
"Microsoft.Web/staticSites/builds/userProvidedFunctionApps/Delete",
"Microsoft.Web/serverfarms/Read",
"Microsoft.Web/serverfarms/Delete",
"Microsoft.Web/serverfarms/Write",
"Microsoft.Web/serverfarms/Join/Action",
"Microsoft.Web/serverfarms/restartSites/Action",
"microsoft.web/serverfarms/virtualnetworkconnections/read",
"microsoft.web/serverfarms/virtualnetworkconnections/gateways/write",
"microsoft.web/serverfarms/virtualnetworkconnections/routes/delete",
"microsoft.web/serverfarms/virtualnetworkconnections/routes/read",
"microsoft.web/serverfarms/sites/read",
"microsoft.web/serverfarms/virtualnetworkconnections/routes/write",
"Microsoft.Web/sites/start/Action",
"Microsoft.Web/sites/restart/Action",
"Microsoft.Web/sites/publish/Action",
"Microsoft.Web/sites/PrivateEndpointConnectionsApproval/action",
"microsoft.web/sites/deployWorkflowArtifacts/action",
"microsoft.web/sites/listworkflowsconnections/action",
"microsoft.web/sites/slots/networkConfig/delete",
"Microsoft.Web/sites/slots/config/Read",
"Microsoft.Web/sites/slots/config/list/Action",
"Microsoft.Web/sites/slots/config/Write",
"microsoft.web/sites/slots/config/delete",
"microsoft.web/sites/slots/config/validateupgradepath/action",
"microsoft.web/locations/deleteVirtualNetworkOrSubnets/action",
"microsoft.web/locations/validateDeleteVirtualNetworkOrSubnets/action",
"microsoft.web/sites/slots/virtualnetworkconnections/delete",
"microsoft.web/sites/slots/virtualnetworkconnections/read",
"microsoft.web/sites/slots/virtualnetworkconnections/write",
"microsoft.web/sites/slots/virtualnetworkconnections/gateways/write",
"microsoft.web/sites/virtualnetworkconnections/delete",
"microsoft.web/sites/virtualnetworkconnections/read",
"microsoft.web/sites/virtualnetworkconnections/write",
"microsoft.web/sites/virtualnetworkconnections/gateways/read",
"microsoft.web/sites/virtualnetworkconnections/gateways/write",
"Microsoft.ClassicNetwork/virtualNetworks/read",
"Microsoft.ClassicNetwork/virtualNetworks/write",
"Microsoft.ClassicNetwork/virtualNetworks/delete",
"Microsoft.ClassicNetwork/virtualNetworks/peer/action",
"Microsoft.ClassicNetwork/virtualNetworks/join/action",
"Microsoft.ClassicNetwork/virtualNetworks/checkIPAddressAvailability/action",
"Microsoft.ClassicNetwork/virtualNetworks/validateMigration/action",
"Microsoft.ClassicNetwork/virtualNetworks/prepareMigration/action",
"Microsoft.ClassicNetwork/virtualNetworks/commitMigration/action",
"Microsoft.ClassicNetwork/virtualNetworks/abortMigration/action",
"Microsoft.ClassicNetwork/virtualNetworks/capabilities/read",
"Microsoft.ClassicNetwork/virtualNetworks/subnets/associatedNetworkSecurityGroups/read",
"Microsoft.ClassicNetwork/virtualNetworks/subnets/associatedNetworkSecurityGroups/write",
"Microsoft.ClassicNetwork/virtualNetworks/subnets/associatedNetworkSecurityGroups/delete",
"Microsoft.ClassicNetwork/virtualNetworks/subnets/associatedNetworkSecurityGroups/operationStatuses/read",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/read",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/write",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/delete",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/startDiagnostics/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/stopDiagnostics/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/downloadDiagnostics/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/listCircuitServiceKey/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/downloadDeviceConfigurationScript/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/listPackage/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/connections/read",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/connections/connect/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/connections/disconnect/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/connections/test/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRootCertificates/read",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRootCertificates/write",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRootCertificates/delete",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRootCertificates/download/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRootCertificates/listPackage/action",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRevokedCertificates/read",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRevokedCertificates/write",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/clientRevokedCertificates/delete",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/packages/read",
"Microsoft.ClassicNetwork/virtualNetworks/gateways/operationStatuses/read",
"Microsoft.ClassicNetwork/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.ClassicNetwork/virtualNetworks/operationStatuses/read",
"Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies/read",
"Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies/write",
"Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies/delete",
"Microsoft.HybridNetwork/locations/vendors/networkFunctions/read",
"Microsoft.Authorization/policyAssignments/privateLinkAssociations/read",
"Microsoft.Authorization/policyAssignments/privateLinkAssociations/write",
"Microsoft.Authorization/policyAssignments/privateLinkAssociations/delete",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/read",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/write",
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/delete",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/blobServices/write"
2
Answers
The minimum permissions you need to remove VNet integration are:
Microsoft.Web/sites/networkConfig/*Microsoft.Network/virtualNetworks/readMicrosoft.Network/virtualNetworks/subnets/readMicrosoft.Network/virtualNetworks/subnets/join/actionYour custom role can be refined significantly, since you have
Microsoft.Network/*, for example. This covers all subcategories of network permissions, so, either explicitly specifying the granular permissions is duplication, or using the asterisk is over-permissioning.Since your role appears to include these, in one way or another, make sure that the user has been assigned the role at scopes encompassing both the App Service Plan / Function App, and the VNet which is currently integrated.
They need to remove it from the function app page not from the ASP neither from the vnet. Or as @Jamie said via az cli or powershell commands.