Forum Discussion
What is your experience with Start VM on connect. Share your voice!
I was quite excited about this feature and where able to try it today, unfortunately without a lot of success. 🙂
We already had a similar custom role in place, containing options to read and start/stop/restart/deallocate the VM. Adding the User to this group and enabling the StartOnConnect feature via the portal did not work.
Logs are showing the following error:
RunCommandForAzureVMAsync Session Host with /subscriptions/subIdRemoved/resourceGroups/rg-weu-d-compute-poc/providers/Microsoft.Compute/virtualMachines/VMTestX001 operation GetVM was blocked due to insufficient permissions. Review permissions are assigned as per requirement for start VM on connect. See https://go.microsoft.com/fwlink/?linkid=2151762 |
To check if the role assignment worked, I ran "Get-AzVM" powershell command in the context of the user in question, this command receives the VMs in question. I am also able to see, start and stop VMs via Azure portal. Therefore, the "insufficient permission" error does not make a lot of sense to me.
Any hints what I could have missed during configuration?
Christoph Distefano: You need to create the custom role: https://docs.microsoft.com/en-us/azure/virtual-desktop/start-virtual-machine-connect#create-a-custom-role-for-start-vm-on-connect.
hello evasse , as mentioned in my initial post we had a similar role already in place (it has more permissions actually, but also read and start permission) and assigned it on Resource Group Level.
And, also as mentioned, the custom role works, since the user can see/start/stop the VMs via Azure Portal or PowerShell after we assign him with the role.
Any other information on this, maybe some insights from the troubleshooting within the last months?
- Did you pay attention that the service has the rights? Having similar role is not specific enough. The service needs the rights to start/stop VMs. Please review the doc carefully.
- ah, awesome, thank you for the hint. I missed it and assigned the role to the user, not the service. My fault, documentation is pretty clear on this! 🙂
Works now. thank you for your fast replies.