Avatar of Florent

by Florent

[Azure] Add multiple admins in a subscription in ARM

February 8, 2017 at 8:00 am in Azure, Microsoft, PowerShell by Florent

https://aiscaler.com/wp-content/uploads/2014/07/microsoft-azure-logo.jpg

I had the request to add some users from Azure AD as Owner of the Azure subscription, in ARM. Being feigning and not wanting to add 10 users manually, I decided to create a PowerShell script (if we ask me to do the same another time). This script is available on Technet:

https://gallery.technet.microsoft.com/Add-multiple-admins-in-an-07c7cf59

To use it, create a CSV file on the same location as your script, with 3 columns:

  • Email
  • FirstName
  • Lastname

http://microsofttouch.fr/cfs-file/__key/communityserver-blogs-components-weblogfiles/00-00-00-00-69/4314.pastedimage1486543883325v2.png

On my 4 users, I only have one as Owner. The script will add 3 others:

http://microsofttouch.fr/cfs-file/__key/communityserver-blogs-components-weblogfiles/00-00-00-00-69/8206.pastedimage1486543914274v3.png

Choose your Azure subscription:

http://microsofttouch.fr/cfs-file/__key/communityserver-blogs-components-weblogfiles/00-00-00-00-69/8206.pastedimage1486543930479v4.png
If a problem appears during the adding, you’ll have an error message:

http://microsofttouch.fr/cfs-file/__key/communityserver-blogs-components-weblogfiles/00-00-00-00-69/6014.pastedimage1486543952572v5.png

And if the adding is ok, you’ll have informational message:

http://microsofttouch.fr/cfs-file/__key/communityserver-blogs-components-weblogfiles/00-00-00-00-69/6014.pastedimage1486543974692v6.png

And on my Azure view:

http://microsofttouch.fr/cfs-file/__key/communityserver-blogs-components-weblogfiles/00-00-00-00-69/0638.pastedimage1486543983903v7.png

If you have any questions, remarks or suggestions, don’t hesitate to contact me :)

Avatar of Florent

by Florent

[French][Container] Start with Windows Server 2016

June 7, 2016 at 6:00 am in Container, Microsoft, Windows Server 2016 by Florent

containerfund

If you want to start with containers on Windows Server 2016, I just published a movie that explain the first steps to have a good start. This movie is in french. It is available here:

https://channel9.msdn.com/Blogs/MVP-Cloud-DataCenter/Windows-Container-avec-Windows-Server-2016-TP5

Don’t hesitate to give me your comments Sourire

Avatar of Florent

by Florent

[Container] Error when you try to add a static mapping rule

June 3, 2016 at 6:00 am in Container, Microsoft, Windows Server 2016 by Florent

With Windows Server 2016, containers are coming as a new feature in  Windows Server. With the TP5, the managing of containers has changed. In fact, to manage network, you don’t need a new switch anymore, but we use the new PowerShell CmdLet New-ContainerNetwork. To add a NAT rule, you need to use the Add-ContainerNetworkAdapterStaticMapping command. So I executed this:

$iiscore = Get-Container -Name $containerNameIIS
Add-ContainerNetworkAdapterStaticMapping -Container $iisCore -AdapterName "$containerNameIIS-NetAda" -ExternalPort 80 -InternalPort 80 -Protocol TCP

But I had the following error:

Add-ContainerNetworkAdapterStaticMapping : The operation failed.

image

After looking during some minutes, I tried to stop the container and to execute the command again. And this time it works fine:

image

I verified that the NAT rule has been created correctly:

image

Conclusion: You MUST stop the container that you want to modify (for the network) to execute the command without error.

Avatar of Florent

by Florent

[Intel NUC] Network driver with Windows Server 2016 TP5

June 1, 2016 at 6:00 am in Intel NUC, Microsoft, Windows Server 2016 by Florent

Because I bought an Intel NUC 6th Generation 3 weeks ago, I tried to deploy Windows Server 2016 TP5 on it. The installation works fine. I downloaded drivers from my laptop from the Intel website, for the version Windows 10 64-bits: https://downloadcenter.intel.com/product/89190

Installation of all drivers is working fine, except for the network card driver. I searched on Internet and I found the solution for my problem on the following blog post: http://www.sqlbrander.com/2015/12/08/running-windows-server-2016-ctp4-on-an-intel-nuc-5i5ryh/ So I adapt it for the TP5.

The following procedure is not official and is not supported, don’t do this in a production environment.

The goal here is to start by deactivating the signature verification of drivers, with following commands:

bcdedit /set LOADOPTIONS DISABLE_INTEGRITY_CHECKS
bcdedit /set TESTSIGNING ON
bcdedit /set nointegritychecks ON

Reboot the server. Download the network card driver here and extract the file to have sources:

image

We will now modify the network driver. The driver is located in the folder Your_Directory\LAN_Win10_64_20.7.1\PRO1000\Winx64\NDIS65. ForWindows Server 2016 TP5, we wil lmodify the file named e1d65x64.inf. Open it and search the following lines:

[ControlFlags]
ExcludeFromSelect = \
PCI\VEN_8086&DEV_153A,\
PCI\VEN_8086&DEV_153B

Replace by:

[ControlFlags]

image

Copy the following lines:

%E15A0NC.DeviceDesc%            = E15A0.10.0.1,       PCI\VEN_8086&DEV_15A0
%E15A0NC.DeviceDesc%            = E15A0.10.0.1,       PCI\VEN_8086&DEV_15A0&SUBSYS_00008086
%E15A1NC.DeviceDesc%            = E15A1.10.0.1,       PCI\VEN_8086&DEV_15A1
%E15A1NC.DeviceDesc%            = E15A1.10.0.1,       PCI\VEN_8086&DEV_15A1&SUBSYS_00008086
%E15A2NC.DeviceDesc%            = E15A2.10.0.1,       PCI\VEN_8086&DEV_15A2
%E15A2NC.DeviceDesc%            = E15A2.10.0.1,       PCI\VEN_8086&DEV_15A2&SUBSYS_00008086
%E15A2NC.DeviceDesc%            = E15A2.10.0.1,       PCI\VEN_8086&DEV_15A2&SUBSYS_00011179
%E15A3NC.DeviceDesc%            = E15A3.10.0.1,       PCI\VEN_8086&DEV_15A3
%E15A3NC.DeviceDesc%            = E15A3.10.0.1,       PCI\VEN_8086&DEV_15A3&SUBSYS_00008086
%E15A3NC.DeviceDesc%            = E15A3.10.0.1,       PCI\VEN_8086&DEV_15A3&SUBSYS_00011179
%E156FNC.DeviceDesc%            = E156F.10.0.1,       PCI\VEN_8086&DEV_156F
%E156FNC.DeviceDesc%            = E156F.10.0.1,       PCI\VEN_8086&DEV_156F&SUBSYS_00008086
%E156FNC.DeviceDesc%            = E156F.10.0.1,       PCI\VEN_8086&DEV_156F&SUBSYS_00011179
%E1570NC.DeviceDesc%            = E1570.10.0.1,       PCI\VEN_8086&DEV_1570
%E1570NC.DeviceDesc%            = E1570.10.0.1,       PCI\VEN_8086&DEV_1570&SUBSYS_00008086
%E1570NC.DeviceDesc%            = E1570.10.0.1,       PCI\VEN_8086&DEV_1570&SUBSYS_00011179
%E15B7NC.DeviceDesc%            = E15B7.10.0.1,       PCI\VEN_8086&DEV_15B7
%E15B7NC.DeviceDesc%            = E15B7.10.0.1,       PCI\VEN_8086&DEV_15B7&SUBSYS_00008086
%E15B7NC.DeviceDesc%            = E15B7.10.0.1,       PCI\VEN_8086&DEV_15B7&SUBSYS_00011179
%E15B8NC.DeviceDesc%            = E15B8.10.0.1,       PCI\VEN_8086&DEV_15B8
%E15B8NC.DeviceDesc%            = E15B8.10.0.1,       PCI\VEN_8086&DEV_15B8&SUBSYS_00008086
%E15B8NC.DeviceDesc%            = E15B8.10.0.1,       PCI\VEN_8086&DEV_15B8&SUBSYS_00011179

And paste them after the following block:

[Intel.NTamd64.10.0]
; DisplayName                   Section        DeviceID
; ———–                   ——-        ——–
%E153ANC.DeviceDesc%            = E153A,       PCI\VEN_8086&DEV_153A
%E153ANC.DeviceDesc%            = E153A,       PCI\VEN_8086&DEV_153A&SUBSYS_00008086
%E153ANC.DeviceDesc%            = E153A,       PCI\VEN_8086&DEV_153A&SUBSYS_00011179
%E155ANC.DeviceDesc%            = E155A,       PCI\VEN_8086&DEV_155A
%E155ANC.DeviceDesc%            = E155A,       PCI\VEN_8086&DEV_155A&SUBSYS_00008086
%E155ANC.DeviceDesc%            = E155A,       PCI\VEN_8086&DEV_155A&SUBSYS_00011179
%E15A0NC.DeviceDesc%            = E15A0,       PCI\VEN_8086&DEV_15A0
%E15A0NC.DeviceDesc%            = E15A0,       PCI\VEN_8086&DEV_15A0&SUBSYS_00008086
%E15A2NC.DeviceDesc%            = E15A2,       PCI\VEN_8086&DEV_15A2
%E15A2NC.DeviceDesc%            = E15A2,       PCI\VEN_8086&DEV_15A2&SUBSYS_00008086
%E15A2NC.DeviceDesc%            = E15A2,       PCI\VEN_8086&DEV_15A2&SUBSYS_00011179
%E156FNC.DeviceDesc%            = E156F,       PCI\VEN_8086&DEV_156F
%E156FNC.DeviceDesc%            = E156F,       PCI\VEN_8086&DEV_156F&SUBSYS_00008086
%E156FNC.DeviceDesc%            = E156F,       PCI\VEN_8086&DEV_156F&SUBSYS_00011179
%E15B7NC.DeviceDesc%            = E15B7,       PCI\VEN_8086&DEV_15B7
%E15B7NC.DeviceDesc%            = E15B7,       PCI\VEN_8086&DEV_15B7&SUBSYS_00008086
%E15B7NC.DeviceDesc%            = E15B7,       PCI\VEN_8086&DEV_15B7&SUBSYS_00011179

You will have the following:

image

Save the file and go to Device Manager, on your network card. Choose Update Driver:

image

Choose the second option to select the driver modified previously:

image

Give the path to your driver:

image

You will have a message to say that the driver is a risk, install it:

The driver is now installed:

image

image

You can now access your network with your Intel NUC on Windows Server 2016 TP5.

The last step is to activate the drivers signature verification, with the following commands:

bcdedit /set LOADOPTIONS ENABLE_INTEGRITY_CHECKS
bcdedit /set TESTSIGNING OFF
bcdedit /set nointegritychecks OFF

Reboot the server for the last time, and voila, it works like a charm Sourire

Avatar of Florent

by Florent

[pfSense] VPN S2S with Azure

May 31, 2016 at 6:00 am in Azure, Microsoft, pfSense by Florent

Because I would like to have a VPN @ home and a VPN with Azure, we advise me to use pfSense. This distribution is very flexible and give you the possibility to connect your host/VM with PPPoE with you ISP but also, to have a performant firewall, doing VPN connections with IPSec, OpenVPN, L2TP, etc.

The idea of this article will be to create a S2S VPN with Azure RM via pfSense.

I started by connecting my pfSense VM (1vCPU, 512MB RAM), with PPPoE to my ISP. Because I have a dynamic public IP, I created an account noip.com with a DNS recording. I connected my pfSense to NOIP to update this public IP automatically in Services > Dynamic DNS:

SNAGHTMLeb3953b

When my VM will restart or my lease will be ended, my IP will be updated directly on my NOIP.

Azure

I will now create my VPN on Azure. Go on https://portal.azure.com and connect to your subscription. Be sure to create a virtual network, in Resource Manager:

image

After, you need to create your Virtual Network Gateway, by choosing the virtual network created previously, and by choosing a a subnet for the Gateway and a public IP. Choose the VPN type, with a VPN type of Route based:

image

After some minutes, our gateway is ready. We need to create a Local Network Gateway, that will host the public IP of the pfSense and local network where the pfSense is connected to access them:

SNAGHTMLed9b5f9

If you have a public dynamic IP, you can check here: http://scug.be/florent/2016/05/30/powershell-update-your-azure-s2s-vpn-with-dynamic-public-ip/

Now, we need to associate our local network to our virtual gateway. Go on your gateway created previously and click on Add:

SNAGHTMLedfe068

Choose Site-to-site (IPSec) with the gateway created previously. Provide a shared key. This key will be used in the pfSense configuration’s:

image

My connection:

SNAGHTMLedf7b26

pfSense

Now, we will configure our pfSense to have the connectivity to Azure. Go in VPN > IPSec and add a new phase 1. Give the public IP address of your Azure gateway, with your shared key:

SNAGHTMLee301eb

Deactivate DPD:

image

Save, and to this phase 1, add a phase 2 by giving the Azure network that you provide during the virtual network creation:

image

Apply change:

image

My S2S VPN is now connected:

SNAGHTMLeeaf6d8

You can deploy a VM on Azure, with the virtual network where the VPN is connected, without public IP and after, connect to it from your local network:

image

Enjoy your connectivity to AzureSourire

Avatar of Florent

by Florent

[PowerShell] Update your Azure S2S VPN with Dynamic Public IP

May 30, 2016 at 6:00 am in Azure, Azure Automation, Microsoft, PowerShell by Florent

I created a S2S VPN with my Azure subscription and, because I don’t a fix public IP @ Home, I searched on internet and I found a blog post who speak about this subject: https://www.vnext.be/2013/12/01/windows-azure-s2s-vpn-with-dynamic-public-ip/

The only problem is, that this script is for azure classic and not for Azure RM.

So I modified this script to update your dynamic public IP on Azure, to have a limited disruption of your VPN S2S with ARM. At my home, this script is executed every 5 minutes. I will do an Azure Automation version later

Don’t hesitate to give me your comments/remarks Sourire

The link: https://gallery.technet.microsoft.com/Update-AzureRM-S2S-VPN-c46cc39e

Avatar of Florent

by Florent

[Hyper-V] Nested VM can’t start

May 11, 2016 at 6:00 am in Microsoft, Nano Server, Windows Server 2016 by Florent

With Windows Server 2016 TP4, Microsoft added a new feature, Nested Hyper-V. This feature give you the possibility to do virtualization in VMs thatare running on Hyper-V.

On 27th of April, Microsoft has released the TP5 version of Windows Server 2016. Because I’m using my Azure Stack server has host, who is running on Windows Server 2016 TP4, I tried to test the Nested Hyper-V TP5 on this server. I created a Nano Server with the Hyper-V role and I created a VM WS2016TP5 on it:

SNAGHTML9682b64

I started this VM and I had the following error:

Failed to start the virtual machine ‘WS2016TP5’ because one of the Hyper-V components is not running

image

The problem is that if you want to run the TP5 version of Nested Hyper-V, your Hyper-V server MUST be on TP5 too. I hope I helped you Sourire

Avatar of Florent

by Florent

[WAP] Azure Pack Connector installation and configuration

April 18, 2016 at 6:00 am in Microsoft, WAP, Windows Azure Pack by Florent

7217.Windows-Azure-logo-v_6556EF52

Microsoft has releasd in February the first version of the Azure Pack Connector. This plugin will give you the possibility to deploy and manage VMs in Azure, direclty from the Windows Azure Pack interface. On 5th of April, Microsoft has released the version 1.1 of the plugin. It’s with this version that I will show you how to deploy this plugin.

Before starting, be sure to have a valid Azure subscription and an Azure Active Directory. After, download the Azure Pack Connector: https://github.com/Microsoft/Phoenix/releases/tag/v1.1

Copy sources on servers that will host the following 3 components:

  • CMP Server
  • WAP Tenant Extension
  • WAP Admin Extension

Connect on a server that has IIS Manager and generate a Self-Signed certificate or a enterprise certificate, via a PKI. Export this certificate through IIS and import it on each server that will host the 3 previous roles. Import it on the Current User and on the Local Machine, by including all properties and by choosing automatically the right store. After that, open the MMV and add the Certificates snapin on Local Computer. Open the private key of the certificate and add the Everyone group:

SNAGHTML960daa7

image

This certificate will be used for the encryption.

You must download and install features pack of SQL Server 2014, on each server where the plugin will be installed:

  • Shared Management Objects (SMO)
  • Transact-SQL ScriptDom (SQLDOM)
  • System CLR Types (SQLSysClrTypes)

Restart all servers. We can now start the installation of the plugin. Unzip the archive that you downloaded where the admin extension will be installed and execute the software SetupCMP.exe:

image

Choose to add new features:

image

Here, I will select the 2 following features:

  • CMP Server
  • WAP Admin Extension

image

Accept the license:

image

Choose where you want to install the software:

image

Give the name of the SQL Server that will store the database, with the instance name, for the CMP service:

image

Do the same for the WAP part:

image

I will use a service account to execute the CMP service. This account must be local administrator of the server. Choose the certificate that you generate at the beginning:

image

Here you have a resume of your installation:

image

The installation is done:

image

In IIS Manager:

image

In the WAP Admin Portal:

image

Go now on the server where the Tenant site is hosted and execute the file SetupCMP.exe. The installation is the same, except that you will choose the WAP Tenant Extension:

image

Choose the existing databasee:

image

image

And choose the certificate that you imported:

image

Install the last feature:

image

image

Now go on you SQL instance that hosts the Microsoft.MgmtSvc.Store database (WAP DB) and execute the following request to create a new user and to associate it with the database. You can change the username/password:

USE [master]
GO
CREATE LOGIN [MgmtSvc-CmpWapExtension] WITH PASSWORD=N’pass@word1′, DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
USE [Microsoft.MgmtSvc.Store]
GO
CREATE USER [MgmtSvc-CmpWapExtension] FOR LOGIN [MgmtSvc-CmpWapExtension]
ALTER USER [MgmtSvc-CmpWapExtension] WITH DEFAULT_SCHEMA=[dbo]
ALTER ROLE [db_owner] ADD MEMBER [MgmtSvc-CmpWapExtension]
GO

image

Now, we need to update the connection string of the plugin with the good SQL server name. Go on the server that hosts the CMP extension and open as administrator the Web.config file in the folder C:\inetpub\MgmtSvc-CmpWapExtension. Replace the connection string MicrosoftMgmtSvcStoreContext by the following, adapting with your values:

<add name="MicrosoftMgmtSvcStoreContext" connectionString="Data Source=DEVOC-SQL-001\WAP;Initial Catalog=Microsoft.MgmtSvc.Store;Persist Security Info=True;User ID=MgmtSvc-CmpWapExtension;Password=pass@word1;MultipleActiveResultSets=True" providerName="System.Data.SqlClient"/>

image

Modify the 2 string before by adding after the database, ;MultipleActiveResultSets=True”

image

Do the previous 2 steps on each CMP server. Now, associate the certificate that you used during the installation of the plugin in IIS, on each server:

image

Execute the iisreset on each server to apply modifications. On a server, we will execute the script that will register this new Resource Provider. Go in C:\inetpub\MgmtSvc-CmpWapExtension and execute the script Register-ResourceProvider.ps1. You need to provide the name of the server that hosts the Admin extension and the Tenant extension:

image

In your portal, the RP is registered correctly:

image

Now, download the following script https://github.com/Microsoft/Phoenix/blob/master/tools/Create-AADSPN.ps1 and execute it on a computer that has the AzureRM module. This script will create a custom application in your Azure AD:

SNAGHTML92708a6

We will now add the plugin to a plan. You will need the following information (all of these information are available through the output of th previous script):

  • The subscription number of your Azure (subscriptionId)
  • The number of your Azure AD (tenantId)
  • The key that you provide during the creation of the custom application (appKey)
  • The client id number (App ID)

From the administration portal, add the CMP service to a plan:

image

You will be able to see this, when adding an account:

image

Provide information that you get before:

SNAGHTML93f812d

Click on the button Add Subscription. If all is right, you will have a green success message:

SNAGHTML941ec03

Add the subscription to a plan by clicking on Add Selected Subscription To Plan:

image

Choose which image and size that will be available for this plan and click on Save:

SNAGHTML94378bd

In the client portal, you can deploy a VM on Azure:

image

image

image

image

And the detail:

SNAGHTML972cc38

This new plugin is very interesting to have the possibility to deploy quickly a VM on Azure, but some features are missing, like the possibility to deploy a VM on an Europe datacenter, a Linux VM, etc…

Troubleshooting

Error 1

After the deployment, I had the following error in the event viewer:

Exception in SyncWorker.SynchWithCmp() : Exception in CmpClient.FetchCmpRequests() : Exception in GetAzureContainers() : The underlying provider failed on Open. – Cannot open database "CMP_DB" requested by the login. The login failed.
Login failed for user ‘DOMAIN\DEVOC-WAPTNT-01$’. :

SNAGHTML9468d8f

The 2 computers accounts didn’t have the good rights on the instance that host DBs of the plugin. I added the sysadmin right for each account and the error disappeared.

Error 2

If you have the following error:

Exception in SyncWorker.SyncWithAzure() : Exception in FetchServiceProviderAccountList() : Exception in Decrypt() : Keyset does not exist
:

SNAGHTML96a6121

Be sure to have the good permission on the certificate Everyone with Full rights to manage private key of the certificate.

Avatar of Florent

by Florent

[MVP] First nomination

April 4, 2016 at 6:00 am in Microsoft, MVP by Florent

2016-04-04_9-15-18

Et voilà, from April 1st 2016, Microsoft elected me Microsoft MVP in the Cloud and Datacenter Management category :)

Microsoft gives me this title for my different activities within the Microsoft community.

I want to thank people that helped and supported me, Romain, JS, Benoit, Christophe, etc (sorry to those that I was not able to mention, but the list is too long :) ) and you, readers.
But the one I thank the most is undoubtedly my wife, Alexandra, who supports me when I work evenings / weekends to bring you new content.

The next for 2016:

And of course, keep blogging, meet new people, discover new products, etc.

Thanks again everyone and see you soon :)

Avatar of Florent

by Florent

[Azure] Custom RBAC roles

March 9, 2016 at 7:00 am in Azure, Microsoft by Florent

From December 2015, Microsoft has given the possibility to create your own RBAC roles. I will show you today, how to do this. To start, connect via PowerShell to your Azure RM subscription:

Login-AzureRm
Select-AzureRmSubscription -SubscriptionId XXXXXXXXXXXXXXXXXXXXX

When you are connected, you can get the list of Resource Providers that are available with the following command:

Get-AzureRmResourceProvider | FT ProviderNameSpace,ResourceTypes

image

That I want here is pretty easy. The user/group that will be in the role that I will create will be able to create/delete network cards and read/join network security group as well as virtual network. I will use the Resource Provider Microsoft.Network to do this. To have the list of all available operations, use the following command:

Get-AzureRmProviderOperation -OperationSearchString Microsoft.Network/* | Select Operation,OperationName

image

Here, actions that interest me are the following:

  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/networkInterfaces/write
  • Microsoft.Network/networkInterfaces/delete
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkSecurityGroups/join/action
  • Microsoft.Network/virtualNetworks/read
  • Microsoft.Network/virtualNetworks/subnets/read
  • Microsoft.Network/virtualNetworks/subnets/join/action

The first 3 bullets concerned the fact the create/read/delete network card, the 4th and 5th concerned the fact to read NSG and join them and, finally, the last 3 bullets are to read virtual networks, subnets and to get an IP in the pool.

To store network cards, the user need to have the right to write in the Resource Group, and so, to read it. You will add the following 2 lines:

  • Microsoft.Resources/deployments/read
  • Microsoft.Resources/deployments/write

Now that we have all actions, we can create the following JSON file:

{
“Name”: “Admin Network Card”,
“Id”: “67794e3b-eeeb-4e5c-a98b-27cc053a0b35″,
“IsCustom”: true,
“Description”: “Can create and delete Network Interfaces.”,
“Actions”: [
“Microsoft.Network/networkInterfaces/read”,
“Microsoft.Network/networkInterfaces/write”,
“Microsoft.Network/networkInterfaces/delete”,
“Microsoft.Network/networkSecurityGroups/read”,
“Microsoft.Network/networkSecurityGroups/join/action”,
“Microsoft.Network/virtualNetworks/read”,
“Microsoft.Network/virtualNetworks/subnets/read”,
“Microsoft.Network/virtualNetworks/subnets/join/action”,
“Microsoft.Resources/deployments/read”,
“Microsoft.Resources/deployments/write”,
“Microsoft.Authorization/*/read”,
“Microsoft.Resources/subscriptions/resourceGroups/read”,
“Microsoft.Support/*”
],
“NotActions”: [

],
“AssignableScopes”: [
“/subscriptions/XXXXXXXXXXXXXXXXXXX”
]
}

Obviously, modify XXXXXXXXXXXXX with the number of the subscription where it will be possible to use this role. You can add multiple subscription. You can also change the Name and Description:

SNAGHTML15e3629d

Save this file with the extension .json and use the following command to import it:

New-AzureRmRoleDefinition -InputFile C:\Users\flore\Desktop\CustomRole.json

SNAGHTML15e4bfbc

With an administrator account, go in the resource group where the role will be applied and add the new role by clicking on Access > Add > Select a role:

image

Add the account/group that will have the possibility to deploy network cards:

image

image

If you navigate to Access > Roles > Admin Network Card > Properties, you have the possibility to view permissions that will be applied on the RG:

image

image

Now, connect with the account who has rights to deploy a network card:

image

Try to create a NSG (we just have permissions to read/join a NSG):

image

We have an error, it’s normal. The message is clear, we don’t have the good rights to do this:

image

I will now create a virtual network with a subnet and a NSG, with an administrator account. I can now read NSG and virtual network that are in the Resource Groups where I have rights:

image

image

Try now to deploy a new network card that will have the possibility to be attached to a VM:

image

The deployment has been done successfully:

image

image

If you want to modify your role, whitout delete/create it, you just need to get his ID and insert it in your JSON file:

Get-AzureRmRoleDefinition -Name “Admin Network Card”

SNAGHTML15f151a1

After, execute the following command to update it in Azure:

Set-AzureRmRoleDefinition -InputFile C:\Users\flore\Desktop\CustomRole.json

SNAGHTML15f2696a

This new functionality will help you to give the good rights to the good peoples, whitout any impact on the production environment since it is not necessary to be co-administrator of the subscription Sourire