What roles is sufficient for The Network Team member to setup and configure Azure ExpressRoute, VNETs, UDR, Firewall, AppGW and NSGs in all of my Subscriptions?

Question

Hi All,

I need to grant a specific team of external contractor the capability to create, manage and troubleshoot: Azure ExpressRoute, UDR, AppGw, VNETs, Firewall and NSGs.

Which roles should I grant for the Azure AD group under the Privileged Identity Management and Manage > Roles?

Network Contributor: https://video2.skills-academy.com/en-us/azure/role-based-access-control/built-in-roles#network-contributor
Network Administrator: https://video2.skills-academy.com/en-us/azure/active-directory/roles/permissions-reference#network-administrator

Thank you in advance.

Answer

Hi @EnterpriseArchitect ,

As you mentioned, you need at least a network contributor role to manage VNETs and NSGs. For firewalls depending on what you need to do you may need something more privileged like a Security Administrator or a Global Admin, since part of the features in Azure Firewall involve setting up or denying access for particular users.

You could look into custom roles but depending on what you need to do for user access controls you may end up needing higher privilege. For most of the things you mentioned Network Contributor will be enough, though.

Share via

What roles is sufficient for The Network Team member to setup and configure Azure ExpressRoute, VNETs, UDR, Firewall, AppGW and NSGs in all of my Subscriptions?

1 answer

Your answer