Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, September 25, 2019 3:58 PM
Azure has defined three RBAC roles regarding virtual machines: Virtual Machine Administrator Login, Virtual Machine Contributor, and Virtual Machine User login. For the moment, it seems that the two ‘Login’ roles are only applicable to Linux virtual machines (Preview: Log in to a Linux virtual machine in Azure using Azure Active Directory authentication http://docs.microsoft.com/en-us/azure/virtual-machines/linux/login-using-aad).
By the definition, the “Virtual Machine Contributor” role is used to manage a virtual machine, but without access to the VM. The access to a Windows VM requires the use of local accounts defined on the VM through RDP sessions. However, Azure provides a few of remote access abilities to a Windows VM directly from Azure side, for example running any Powershell script through Custom Script Extension. As long as an AAD user has been assigned the Virtual Machine Contributor role, he/she can run Powershell scripts on a Windows VM with ‘NT AUTHORITY\SYSTEM’ privilege. Is this not full access to the VM?
An AAD user with the Virtual Machine Contributor role can also reset the local administrator through VMAccess extension. With the local admin password, he/she can also access the VM through RDP.
Why is the “Virtual Machine Contributor” defined/claimed for manage purpose only without access?
All replies (3)
Wednesday, September 25, 2019 6:44 PM
It is really just to give users multiple options when it comes to managing their virtual machines. You might have an admin that creates and assigns users to virtual machines but they have no reason to login to the VM. Hence the contributor role would be a good fit.
You can also have it so users can only login to the VM but cannot create or manage the VMs. So for example if you needed a password reset the contributor could do that for the users.
Thursday, September 26, 2019 1:58 AM | 1 vote
Agreed. Having different roles for different purposes is a good idea, for example the two "login" roles are used just for VM access purpose, although they can't used for Windows VMs yet. The issue I have with the "Virtual Machine Contributor" role is that it does allow an AAD user to manage and access a Windows VM. Due to the nature of Windows server administration, it is difficult to really distinguish management plane operations from data plane operations, (a local administrator of a Windows server could enable himself/herself to do anything that a local application user could do on the server). I don't mind if the "Virtual Machine Contributor" role is defined with the access privilege. In the future when Azure Active Directory authentication can be used to log in Windows VMs, an azure account with the Contributor role should be able to log in too.
Thursday, October 3, 2019 7:58 PM
Any further questions on this?
If the proposed answer was useful please remember to "Up-Vote" and "Mark as Answer" to benefit the community.