Forum Discussion
Gallery sharing issues when sharing with entire tenant
We got approved for the preview feature for sharing galleries with subscriptions and tenants (https://learn.microsoft.com/en-us/azure/virtual-machines/share-gallery-direct?tabs=portaldirect); however, when I go to enable sharing at the tenant level, the gallery/images are not visible from only one (random) sub.
Here's the process I used:
1) Deployed a new gallery in Sub1 and enabled sharing to be "RBAC + Direct shared gallery"
2) Added sharing type of "Tenant" and selected the only tenant available
3) Attempted to create a VM from that gallery from the other subscriptions but could only see the gallery (i.e., when creating the VM, selected See Images, then selected "Direct Shared Images (PREVIEW)" but nothing shows up.
If I change the sharing type to "Subscription" and select all/any subscription it works; however, the issue we are trying to solve for is that the gallery/images are shared across the entire tenant so every time a subscription gets created we don't have to have a process to grant permissions to the galleries.
4 Replies
- HelloThere!
It seems like you are encountering issues while attempting to share galleries with an entire tenant using the RBAC + Direct Shared Gallery sharing method. While you were able to enable sharing at the tenant level, you are unable to see the gallery/images from one of your subscriptions.
Based on the process you used, it appears that you have taken the correct steps in deploying a new gallery and enabling sharing to be "RBAC + Direct shared gallery." However, it seems like the issue arises when you attempt to create a VM from that gallery from other subscriptions.
If changing the sharing type to "Subscription" and selecting all/any subscription works, then it is possible that there may be some permission issues when attempting to share galleries at the tenant level. It could be that the RBAC permissions have not been correctly assigned to the appropriate users or groups in the affected subscription.
To resolve the issue, you may need to check the permissions assigned to the affected subscription and ensure that the RBAC permissions are correctly assigned to the appropriate users or groups in that subscription. Additionally, you may also want to review the logs and diagnostic data to help identify the root cause of the issue.
It is worth noting that since the feature you are using is still in preview, there may be some limitations or known issues that you should be aware of. Therefore, it may be a good idea to check the documentation or contact Microsoft support for further assistance in resolving the issue. Sharing galleries with an entire tenant in Azure can sometimes result in issues where the gallery/images are not visible in specific subscriptions. While the exact cause of the issue might require further investigation, there are a few factors you can consider to troubleshoot and resolve the problem:
1. Validate tenant permissions: Ensure that the user account used to enable sharing at the tenant level has the necessary permissions across all subscriptions within the tenant. The user account should have the required RBAC (Role-Based Access Control) permissions to view and access the galleries and images.
2. Check subscription permissions: Verify that the user accounts within the affected subscriptions have the appropriate RBAC permissions to view and access the shared galleries. They should have at least the necessary read permissions on the shared galleries to see them when creating a VM.
3. Review sharing settings: Double-check the sharing settings for the gallery in Sub1. Ensure that the sharing type is correctly set to "RBAC + Direct shared gallery" and the correct tenant is selected for sharing. Also, confirm that the gallery/image visibility is set to "Public" or "Private" as per your requirements.
4. Ensure proper registration: Ensure that the Azure Resource Provider for the gallery feature is registered and available in all subscriptions within the tenant. You can check the registration status using the Azure PowerShell command `Get-AzResourceProvider -ProviderNamespace Microsoft.Compute`.
5. Verify Azure region compatibility: Confirm that the gallery and the subscriptions are in the same Azure region. Some Azure features and services may have regional limitations or dependencies, and ensuring regional compatibility can help avoid potential issues.
If the issue persists after checking these factors, consider opening a support ticket with Microsoft Azure Support. They can provide further assistance and investigate the specific configuration and permissions within your Azure tenant.
It's important to note that sharing galleries with an entire tenant is a preview feature, and there may be limitations, dependencies, or known issues associated with it. Keep an eye on Microsoft documentation, release notes, and community forums for updates and announcements regarding this feature.
If I have answered your question, please mark your post as SolvedIf you like my response, please give it a likeThank you Deleted ; however, as I noted everything works as expected when I change the sharing from Tenant to Subscription (i.e., and then select any/all subscriptions). So this tells me that all of the other things you noted to look into are irrelevant. I do wish to get some clarification from you though. On point #2, you mentioned the following:
"2. Check subscription permissions: Verify that the user accounts within the affected subscriptions have the appropriate RBAC permissions to view and access the shared galleries. They should have at least the necessary read permissions on the shared galleries to see them when creating a VM."Does the user in the consuming subscription have to have permissions defined on the shared gallery that is in the other subscription? The reason we are looking into this feature is to avoid having to set granular permissions on galleries. For example, currently every time an app team creates a new Service Principal, a requests has to get entered to their help desk to add that SP to the gallery. Furthermore, when I tested this at the subscription level sharing it worked like that without having to set any additional permissions so I'm thinking that that sharing at the Tenant level should have the same affect. Moreover, there is one subscription that can see this shared gallery and all permissions are set the exact same way on every subscription.
Apologies for any confusion caused. Let's address your question regarding subscription permissions for shared galleries in Azure.
When you enable sharing at the subscription level, the permissions to access the shared gallery are automatically inherited by all the user accounts within that subscription. This means that users in the consuming subscription don't need to have separate permissions defined on the shared gallery itself. The shared gallery is accessible to all users within the subscription without requiring additional granular permissions.
In your scenario, where you tested sharing at the subscription level and it worked without setting any additional permissions, it aligns with the expected behavior. When sharing at the subscription level, the sharing permissions are automatically applied to all users within that subscription.
However, when sharing at the tenant level, the sharing permissions should also propagate to all subscriptions within the tenant without the need for additional granular permissions. This means that users in any subscription within the tenant should have access to the shared gallery without requiring specific permissions defined on the gallery itself.
If you are experiencing a specific issue where one subscription can see the shared gallery while others cannot, despite having the same permissions configured, it may indicate a potential problem or inconsistency. In such cases, it is recommended to reach out to Microsoft Support for further investigation and assistance. They can analyze the specific configurations and permissions in your environment to identify any potential causes or solutions.
It's important to ensure that the necessary sharing permissions are configured correctly at the tenant and subscription levels to allow seamless access to shared galleries across the entire tenant without the need for granular permission management on individual galleries.
If I have answered your question, please mark your post as SolvedIf you like my response, please give it a like
