Introduction
Microsoft only offers broad Contributor or Azure Connected Machine Resource Administrator roles for Azure Update Manager operations, which grants more permissions than needed. To address this, I’ve created two specialized roles that follow the principle of least privilege – one for Azure VMs and one for Azure Arc-enabled servers.
The Azure Update Manager VM Operator and Azure Update Manager Arc Operator roles provide granular access control for managing updates in your Azure environment. These roles are designed to give teams exactly what they need – no more, no less.
Role Definitions
- CUSTOM – Update Manager VM Operator
- This role is specifically designed for managing updates on Azure VMs. It includes permissions for patch assessment and installation, and allows viewing update results and operation status.
- CUSTOM – Update Manager Arc Operator
- This role is tailored for Azure Arc-enabled servers, providing update management capabilities for hybrid machines with permissions for patch assessment and installation.
These custom roles include:
- JSON Templates: Ready-to-deploy role definitions
- Implementation Guidance: Instructions for deployment at management group or subscription level
These custom roles are available at docs.kaidojarvemets.com for Premium Members.
Not a Premium Member yet? Get access to these custom roles and more at Premium Membership
