In Azure, how to allow non-subscription admins to create new resources

Question

I have a Resource Group (RG) in Azure. I am the subscription admin and in the RG my role is Owner. I also have two other users assigned to this RG, and their roles are also Owners.

I can create any resources in the RG with no issues. The other 2 users cannot. For example, when they tried to add SQL Server resource, they we told that "The subscription doesn't have permissions to register the resource provider(s): Microsoft.Sql".

Question: is it possible to grant those non-subscription admin users permission to create resources in the RG or this is something only subscription admin can do?

Answer 1

Yes, you can do that, 2 ways, grant permission to register resource providers or register all resource providers upfront.

To register resource providers use powershell or cli. powershell sample:

Get-AzureRmResourceProvider -ListAvailable | Where-Object { $_.RegistrationState -eq 'NotRegistered'} | Register-AzureRmResourceProvider

Or use the portal. Go to subscriptions, pick subscription in question, pick resource providers and register needed resource providers.

Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview

Explanation: https://blogs.msdn.microsoft.com/azure4fun/2016/10/20/common-problem-when-using-azure-resource-groups-rbac/

Answer 2

Yes. You can. In the Subscriptions Tab on the left of your portal screen, select your subscription and go to IAM (Identity and Access Management). Select the role that you wish to give to the users in this case "SQL Server Contributor" and add the users. Contributor role will give them the right to create/delete resources but not the right to give access to the same resource to other users. Check this link for more details.

You can register the required resources provides in the same Subscriptions Tab, in the Resource Providers section.