Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, January 8, 2018 9:06 PM
What permissions are required to view the application gateway backend health?
I get the error:
The client ''with object id '' does not have authorization to perform action 'Microsoft.Network/applicationGateways/backendhealth/action' over scope '/subscriptions/.............
All replies (6)
Tuesday, January 9, 2018 4:54 AM
You get the error that you are not authorized to perform action 'Microsoft.Network/applicationGateways/backendhealth/action' over scope '/subscriptions/’ because you don't have the relevant permissions. You need to have "Virtual Machine Contributor". Refer the article:
/en-us/azure/active-directory/role-based-access-built-in-roles
Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.
Tuesday, January 9, 2018 5:10 AM
you need the "traffic manager contributor" role
Tuesday, January 9, 2018 1:38 PM
You get the error that you are not authorized to perform action 'Microsoft.Network/applicationGateways/backendhealth/action' over scope '/subscriptions/’ because you don't have the relevant permissions. You need to have "Virtual Machine Contributor". Refer the article:
/en-us/azure/active-directory/role-based-access-built-in-roles
Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.
I have the Monitoring Reader and the Reader roles... why would that not be enough?
Do you happen to know specifically which permission inside the "Virtual Machine Contributor" role is needed to view backend health?
/en-us/azure/active-directory/role-based-access-built-in-roles#virtual-machine-contributor
Here are the individual privs for that role:
Virtual Machine Contributor
Can manage virtual machines but not the virtual network or storage account to which they are connected
| Actions | |
|---|---|
| Microsoft.Authorization/*/read | Read authorization |
| Microsoft.Compute/availabilitySets/* | Create and manage compute availability sets |
| Microsoft.Compute/locations/* | Create and manage compute locations |
| Microsoft.Compute/virtualMachines/* | Create and manage virtual machines |
| Microsoft.Compute/virtualMachineScaleSets/* | Create and manage virtual machine scale sets |
| Microsoft.Insights/alertRules/* | Create and manage Insights alert rules |
| Microsoft.Network/applicationGateways/backendAddressPools/join/action | Join network application gateway backend address pools |
| Microsoft.Network/loadBalancers/backendAddressPools/join/action | Join load balancer backend address pools |
| Microsoft.Network/loadBalancers/inboundNatPools/join/action | Join load balancer inbound NAT pools |
| Microsoft.Network/loadBalancers/inboundNatRules/join/action | Join load balancer inbound NAT rules |
| Microsoft.Network/loadBalancers/read | Read load balancers |
| Microsoft.Network/locations/* | Create and manage network locations |
| Microsoft.Network/networkInterfaces/* | Create and manage network interfaces |
| Microsoft.Network/networkSecurityGroups/join/action | Join network security groups |
| Microsoft.Network/networkSecurityGroups/read | Read network security groups |
| Microsoft.Network/publicIPAddresses/join/action | Join network public IP addresses |
| Microsoft.Network/publicIPAddresses/read | Read network public IP addresses |
| Microsoft.Network/virtualNetworks/read | Read virtual networks |
| Microsoft.Network/virtualNetworks/subnets/join/action | Join virtual network subnets |
| Microsoft.ResourceHealth/availabilityStatuses/read | Read health of the resources |
| Microsoft.Resources/deployments/* | Create and manage resource group deployments |
| Microsoft.Resources/subscriptions/resourceGroups/read | Read resource groups |
| Microsoft.Storage/storageAccounts/listKeys/action | List storage account keys |
| Microsoft.Storage/storageAccounts/read | Read storage accounts |
| Microsoft.Support/* | Create and manage support tickets |
Wednesday, January 10, 2018 9:55 AM
Once the user has virtual machine contributor , the user should be able to do all the actions listed in the list shared by you and in the article, for example:
Microsoft.Network/applicationGateways/backendAddressPools/join/action |
Join network application gateway backend address pools |
You may try and let us know.
Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.
Wednesday, January 10, 2018 1:52 PM
Do you know specifically which of those permissions in that list are needed?
Sunday, January 14, 2018 6:44 AM
Application gateway is networking resource. You can use network contributor role or use custom roles and give permissions to read/write application gateways and let us know.
Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.