Forum Discussion
Aaron_Oneal
Microsoft
MicrosoftBehind the scenes: access and region control in Windows Update for Business reports
Interested in using Windows Update for Business reports for richer access and region control? As we've announced on the Windows IT Pro Blog today, you now have more power and flexibility to route dat...
The GitHub page says that whatever account will run the Ansible playbook should be Subscription owner to be able to create all the resources. However, the target_resource_group parameter in the localhost file seems to indicate that we can have everything go in the same resource group.
To me it seems possible to have the account have just the Contributor role for that resource group in order to run the playbook successfully, since everything created by the playbook would go into that group. I assume the Subscription Owner role would definitely be needed if the playbook was also creating a new resource group instead of using an existing one.
Am I missing something? Is subscription owner a hard requirement besides for the reason I mentioned?
Thank you.
- Aaron_Oneal
Resource group contributor will generally suffice if you have already created one in the subscription. But as noted, you will also need to have pre-created and registered the storage provider due to the required subscription permission.
- For anyone who is curious, I tried to do this with a service principal that only has Owner rights to the resource group. This fails, because the playbook tries to register a storage provider, which requires permissions to the subscription.
Specifically, 'Microsoft.Storage/register/action' permission to the subscription is what is required.
