Windows Azure Pack and RBAC

Azure PackWindows Azure Pack not having any RBAC capabilities is, in my view and the view of the community , a big show-stopper for a lot of companies to implement this on premise. At least this is mostly true when you want to provide external tenants (so not your own internal departments) with some sort of flexibility when it comes to usermanagement at the tenant side of things. There is for example no way for a tenant user to create an admin users with more rights than a developer.


The final & official statement of the Azure Pack team on RBAC is:

Azure Stack as a product will support RBAC capabilities just like Azure. To clarify, it will not be coming as a feature in our in-market Azure Pack.

So if you have a requirement for RBAC for the tenant portal, you’ll either have to find your own solution or wait for Azure Stack to go live. Production ready dates for Azure Stack are not known or officially communicated, but the rumors tell me it will take a while for it to arrive.

In a development environment we tested Team Access Control (Terawe) because it looked like it could mimic some sort of RBAC at the tenant side. However, with Team Access Control it is not possible to create roles, add users to that roles which are then automatically applied to a subset of virtual machines. With every deployment of a virtual machine, a user with “more rights”, need to set permissions for that newly created virtual machine. With 1000+ vm’s this way of working can be very complicated. It’s also not possible, without AD integration, to prevent regular users to subscribe to the team manager’s plan and become team manager themselves. So I see Team Access control working in a trusted, internal only, environment, but not in a multi-tenant, external oriented, environment.

That leaves us (any ideas on this are welcome!!), with workarounds and tricks, to get something like RBAC for Windows azure Pack. (at least if you lack a development team to build your own resource provider)

The powershell code below is an example of some of the possibilities to get at least some sort of difference between a normal tenant user and, in this case, a user that can see and access all virtual machines in a specific cloud in the tenant portal.

workflow xx_xxx

InlineScript {
        $Commands = {
$cloud = Get-SCCloud -Name "xxxx" 
$vmList = Get-SCVirtualMachine -cloud $cloud
foreach ($vm in $vmlist)
Grant-SCResource -Resource $VM -UserRoleName "userid"

Invoke-Command -Computername $Using:VMMServer -Scriptblock $Commands


You can add the code above to a runbook and link the runbook to the action “VMM Virtual Machine”. Be sure to give the runbook the “SPF” tag, else the runbook is not listed when adding it via the “link an action with a runbook.

A good read about SMA Powershell workflow & Inline Script can be found HERE

Leave a Reply

Your email address will not be published. Required fields are marked *

nine − 2 =