Allow users to start/stop particular Azure VMs

Question

Our sales team will be using Azure VMs to do sales demos. I would like to be able to allow certain people to be able to start/stop their own VMs at will. I've seen being able to add people as an administrator in the management portal, but this seems to give them access to our whole subscription. I'd like to be able to manage this without having everyone create their own subscription.

Example scenario:

Person A is able to start/stop Person A's dedicated VM.

Person B is able to start/stop Person B's dedicated VM. etc.

Answer 1

In order to allow a user to start and stop a virtual machine you need to create a custom role with the right permissions.

In this answer I will list the steps to follow in order to get this result using the Azure Command Line Interface. You can do the same using the PowerShell or the Azure Rest Api (find more information about the commands to be used with the Power Shell at this link and with the Azure Rest Api at this link).

• Create a JSON file with the following content (let us name it newRole.json):

{
    "Name": "Virtual Machine Operator",
    "IsCustom": true,
    "Description": "Can deallocate, start, and restart virtual machines.",
    "Actions": [
        "Microsoft.Compute/*/read",
        "Microsoft.Compute/virtualMachines/start/action",
        "Microsoft.Compute/virtualMachines/restart/action",
        "Microsoft.Compute/virtualMachines/deallocate/action"
    ],
    "NotActions": [],
    "AssignableScopes": [
        "/subscriptions/11111111-1111-1111-1111-111111111111"
    ]
}

• A short explanation of each field of the JSON file:

  • Name: the name of the new role. This is the name that will be shown in the Azure Portal

  • IsCustom: specifies that it is a user defined role

  • Description: a short description of the role, also shown in the Azure Portal

  • Actions: the list of actions that can be performed by a user with this role. Each line, respectively, allows the user to:

    • See the list of virtual machines (not all of them, we will see later how to specify which VM will be visible to each user)
    • Start one of the virtual machines among those in the list
    • Restart one of the virtual machines among those in the list
    • Deallocate one of the virtual machines among those in the list

  • NotActions: the list of action that can't be performed by a user with this role. In this case the list is empty; in general, it is often a subset of the previous field.

  • AssignableScopes: the set of your subscriptions where the role may be added. Each code is prefixed by the /subscriptions/ string. You can find the code of your subscription by accessing the subscription menu (identified by this icon)

    

    and copy the value within the SUBSCRIPTION ID field

• Login to your Azure account via the Azure CLI. More information about how to install the Azure CLI and perform the login process may be found here and here.

• Create the new role executing the command az role definition create --role-definition newRole.json.

• Access the portal and select the virtual machine that has to be powered on and off by a user of your choice.

• After you have selected the machine, select Access Control (IAM).

  

• From the new blade select Add.

• Fill in the fields as follows:

  • Role: Select the role you just created -- in our case, Virtual Machine Operator
  • Assign access to: Azure AD user, group, or application.
  • Select: the email associated to the account that needs to start/restart/stop the VM.

• Select Save.

After this operation, when the user accesses the Azure Portal, they will see the selected VM in the list of the virtual machines. Upon selecting the virtual machine, they will be able to start/restart/stop it.

Answer 2

Through Azure CLI

1. Create a custom-role file VirtualMachineStartStop.json:

   {
       "Name": "Virtual Machine Start Stop Access",
       "IsCustom": true,
       "Description": "Start/Restart/Deallocate virtual machines",
       "Actions": [
           "Microsoft.Storage/*/read",
           "Microsoft.Network/*/read",
           "Microsoft.Compute/*/read",
           "Microsoft.Compute/virtualMachines/start/action",
           "Microsoft.Compute/virtualMachines/restart/action",
           "Microsoft.Compute/virtualMachines/deallocate/action"
       ],
       "NotActions": [],
       "AssignableScopes": [
           "/subscriptions/<azure_subscription_id_here>"
       ] 
   }
   

2. Create role:

   az role definition create --role-definition "./VirtualMachineStartStop.json"
   

3. Confirm the role creation:

   az role definition list --custom-role-only true
   

Answer 3

In case you cannot create custom roles, you now have the "Desktop Virtualization Power On Off Contributor" role; which can both start and stop the Virtual Machine (VM). There is also the " Desktop Virtualization Power On Contributor" role which can only start the VM.

You can assign this in the CLI with the command below with the necessary placeholders filled in;

az role assignment create \
  --assignee *userObjectId* \
  --role "Desktop Virtualization Power On Off Contributor" \
  --scope "/subscriptions/*Your Subscription ID*/resourceGroups/*YourResourceGroup*/providers/Microsoft.Compute/virtualMachines/*YourVirtualMachineName*"

You will need to substitute SubscriptionId, ResourceGroupName, VirtualMachineName and also userObjectId which you can get from the query below.

az ad user show --id "user@example.com" --query objectId --output tsv

Answer 4

Ive created a custom role to allow this. I've tested and it works. You have to start with the "Virtual Machine User Login" role then add the additional permissions. This does of course give the user log permissions as well but I assume if you are allowing them to start and stop the VM then you would also want them the ability to log in.

Via the GUI:

 1. Add Custom Role
 2. Select "Clone a role" and role to close is "Virtual Machine User Login"
 3. Click Next
 4. Select add permissions
 5. Scroll  down to "Microsoft.Compute.VirtualMachines" and tick
Microsoft.Compute/virtualMachines/start/action"
"Microsoft.Compute/virtualMachines/powerOff/action"
"Microsoft.Compute/virtualMachines/deallocate/action"
 6. Click Next, select subscription, Next, Next then "Create".
 7. List item

All permissions for the role:

• Action Microsoft.Network/publicIPAddresses/read
• Action Microsoft.Network/virtualNetworks/read
• Action Microsoft.Network/virtualNetworks/read
• Action Microsoft.Network/loadBalancers/read
• Action Microsoft.Network/networkInterfaces/read
• Action Microsoft.Compute/virtualMachines/*/read
• Action Microsoft.Compute/virtualMachines/start/action
• Action Microsoft.Compute/virtualMachines/powerOff/action
• Action Microsoft.Compute/virtualMachines/deallocate/action
• DataAction Microsoft.Compute/virtualMachines/login/action

Here's the JSON:

{ "properties": { "roleName": "VM_Operator_test", "description": "", "assignableScopes": [ "/subscriptions/exampesubscription/EXAMPLE_RG" ], "permissions": [ { "actions": [ "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/loadBalancers/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Compute/virtualMachines/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/powerOff/action", "Microsoft.Compute/virtualMachines/deallocate/action" ], "notActions": [], "dataActions": [ "Microsoft.Compute/virtualMachines/login/action" ], "notDataActions": [] } ] }}

Answer 5

Open your VM in portal.azure.com navigate to Access control (IAM) → Role Assignments and click Add Role Assignment.

Select standard role Virtual Machine Contributor,

Assign access to leave by default (Azure AD user, group ...),

In Select field enter email of new limited user and select Guest.

Save.

That's all.

Answer 6

My recommendation would be to build your own façade that leverages the Azure Management API to perform these tasks for you. This allows you to put in place your own controls around access/authorization as well as rig it to span multiple subscriptions (should this ever prove necessary). This façade could potentially be hosted in a free tier Azure web site.

Answer 7

Currently this is not possible. Though it is possible via some programming. What you see on Azure Portal can be achieved through Azure Service Management API. What you could do is write an application which consumes this API and there you could define all the rules.

If you think your sales folks will not mess around, another thing you could do is create some custom PowerShell scripts by making use of Azure PowerShell Cmdlets and they can just execute those scripts to start/stop the VMs.