Allow users to start/stop particular Azure VMs

Question

Our sales team will be using Azure VMs to do sales demos. I would like to be able to allow certain people to be able to start/stop their own VMs at will. I've seen being able to add people as an administrator in the management portal, but this seems to give them access to our whole subscription. I'd like to be able to manage this without having everyone create their own subscription.

Example scenario:

Person A is able to start/stop Person A's dedicated VM.

Person B is able to start/stop Person B's dedicated VM. etc.

Answer 1

In order to allow a user to start and stop a virtual machine you need to create a custom role with the right permissions.

In this answer I will list the steps to follow in order to get this result using the azure command line interface. You can do the same using the Power Shell or the Azure Rest Api (find more information about the commands to be used with the Power Shell at this link and with the Azure Rest Api at this link).

• Create a JSON file with the following content (let us name it newRole.json):

    {
      "Name": "Virtual Machine Operator",
      "IsCustom": true,
      "Description": "Can deallocate, start  and restart virtual machines.",
      "Actions": [
        "Microsoft.Compute/*/read",
        "Microsoft.Compute/virtualMachines/start/action",
        "Microsoft.Compute/virtualMachines/restart/action",
        "Microsoft.Compute/virtualMachines/deallocate/action"
      ],
      "NotActions": [

      ],
      "AssignableScopes": [
        "/subscriptions/11111111-1111-1111-1111-111111111111"
      ]
    }

• A short explanation of each field of the JSON file:

  • Name: the name of the new role. This is the name that will be shown in the azure portal
  • Is Custom: specifies that it is a user defined role
  • Description: a short description of the role, is is shown as well in the azure portal
  • Actions: the list of action that can be performed by a user associated to this role. Respectively each line allows the user to:
    • See the list of virtual machines (not all of them, we will see later how to specify which VM will be visible to each user)
    • Start one of the virtual machine among those in the list
    • Restart one of the virtual machine among those in the list
    • Deallocate one of the virtual machine among those in the list
  • No Actions: the list of action that can't be performed by a user associated to this role. In this case the list is empty, in general it has to be a subset of the previous field.

  • AssignableScopes: the set of your subscriptions where the role has to be added. Each code is prefixed by the /subscription/ string. You can find the code of your subscription by accessing the subscription menu (identified by this icon)

    

    and copy the value under SUBSCRIPTION ID column

• Login to your azure account with the azure cli executing the command az login. More information about how to install the azure cli and perform the login process respectively here and here.
• Create the new role executing the command az role definition create --role-definition newRole.json.
• Access the portal and select the virtual machine that has to be powered on and off by a user of your choice

• After you selected the machine select Access control (Iam)

  

• From the new blade select Add

• Fill in the fields as follow:
  • Role: Select the role you just created, in our case Virtual Machine Operator
  • Assign access to: Azure AD user, group, or application.
  • Select: the email associated to the account that needs to start/restart/stop the VM
• Press save

After this operations when the user will access the portal she will see the selected VM in the list of the virtual machines. If she selects the virtual machine she will be able to start/restart/stop it.