Behind the scenes: access and region control in Windows Update for Business reports

Interested in using Windows Update for Business reports for richer access and region control? As we've announced on the Windows IT Pro Blog today, you now have more power and flexibility to route dat...

wufb

mcuellar

Copper Contributor

Apr 27, 2023

The GitHub page says that whatever account will run the Ansible playbook should be Subscription owner to be able to create all the resources. However, the target_resource_group parameter in the localhost file seems to indicate that we can have everything go in the same resource group.

To me it seems possible to have the account have just the Contributor role for that resource group in order to run the playbook successfully, since everything created by the playbook would go into that group. I assume the Subscription Owner role would definitely be needed if the playbook was also creating a new resource group instead of using an existing one.

Am I missing something? Is subscription owner a hard requirement besides for the reason I mentioned?

Thank you.

Aaron_Oneal

mcuellar

Copper Contributor

Apr 28, 2023

For anyone who is curious, I tried to do this with a service principal that only has Owner rights to the resource group. This fails, because the playbook tries to register a storage provider, which requires permissions to the subscription.

Specifically, 'Microsoft.Storage/register/action' permission to the subscription is what is required.

Forum Discussion

Behind the scenes: access and region control in Windows Update for Business reports

Resources