Blog Post

Azure Stack Blog
2 MIN READ

Register your Azure Stack HCI cluster with reduced permissions

Arpita Duppala's avatar
Arpita Duppala
Icon for Microsoft rankMicrosoft
Jun 06, 2022

We are happy to announce several improvements to the HCI cluster registration experience. These improvements are based on community feedback and survey results.

 

Relaxed permission requirements at both Azure Tenant and subscription level: As a user registering the cluster, now you don’t need any privileges at the tenant-level, we have also reduced the permissions at the subscription level, hence reducing the impact in case of any security breach or user error.

 

Azure Permissions Previously Now
Tenant Level
  1. "microsoft.directory/applications/createAsOwner",
  2. "microsoft.directory/applications/delete",
  3. "microsoft.directory/applications/standard/read",
  4. "microsoft.directory/applications/credentials/update",
  5. "microsoft.directory/applications/permissions/update",
  6. "microsoft.directory/servicePrincipals/appRoleAssignedTo/update",
  7.  "microsoft.directory/servicePrincipals/appRoleAssignedTo/read",
  8. "microsoft.directory/servicePrincipals/appRoleAssignments/read",
  9. "microsoft.directory/servicePrincipals/createAsOwner",
  10. "microsoft.directory/servicePrincipals/credentials/update",
  11. "microsoft.directory/servicePrincipals/permissions/update",
  12. "microsoft.directory/servicePrincipals/standard/read",
  13. "microsoft.directory/servicePrincipals/managePermissionGrantsForAll.AzSHCI-registration-consent-policy" 
 Not Required
Subscription Level
  1. "Microsoft.Resources/subscriptions/resourceGroups/read",
  2. "Microsoft.Resources/subscriptions/resourceGroups/write",
  3. "Microsoft.Resources/subscriptions/resourceGroups/delete",
  4. "Microsoft.AzureStackHCI/register/action",
  5. "Microsoft.AzureStackHCI/Unregister/Action",
  6. "Microsoft.AzureStackHCI/clusters/*",
  7. "Microsoft.Authorization/roleAssignments/write",
  8. "Microsoft.HybridCompute/register/action",
  9. "Microsoft.GuestConfiguration/register/action",
  10. "Microsoft.HybridConnectivity/register/action"
  1. "Microsoft.Resources/subscriptions/resourceGroups/read",
  2. "Microsoft.AzureStackHCI/register/action",
  3. "Microsoft.AzureStackHCI/Unregister/Action",
  4. "Microsoft.AzureStackHCI/clusters/*",
  5. "Microsoft.Authorization/roleAssignments/write",
  6. "Microsoft.HybridCompute/register/action",
  7. "Microsoft.GuestConfiguration/register/action",
  8. "Microsoft.HybridConnectivity/register/action"

 

More flexibility with resource group creation: Previously we only allowed the user to specify the resource group for HCI cluster resource, but now you can also specify the resource group information for the Arc for server resources.

 

For more detailed information, please see our documentation: Connect Azure Stack HCI to Azure - Azure Stack HCI | Microsoft Docs

 

We hope these registration improvements will make your registration experience smoother, quicker, and more productive. We are always open to feedback; you can comment on this blog or reach out to me directly.

 

Future Plans

We plan to improve this workflow further by providing:

  • More flexibility with resource creation, move, delete, and tagging
  • Update workflows for extensions
  • Creation of a more restrictive custom permission role
  • Prechecks for registration workflow

 

Updated Jun 07, 2022
Version 5.0
Azure Stack HCI

4 Comments

  • IbTornoe's avatar
    IbTornoe
    Copper Contributor
    Jun 09, 2022

    Arpita Duppala thanks for the ACK, VERY much appreciated :smile:

    BUT sorry :cry:,

    I again have to express my concern about the quality and embracement customers expect from Microsoft regarding products and services, and here I also think about Support which is getting worse and worse . . .:cry: 

    If I rewind to the time frame where Windows 2000 were released (Active Directory) and the accompanied Recourse Kit.

    On the shelf it took almost 1,5 m and the technical details included here were amazing, we are a lot of "silverback's" that want this to reappear!

    We miss the quality and the deep technical description, PLEASE bring it back, PLEASE!!!!!

    Documentation here https://docs.microsoft.com/ is so superficial, that it is almost useless, sorry!

    MarkRussinovich , we miss your whitepapers, deep dive on Windows, Case of the Unexplained, explanations of Scheduling algorithm on NUMA vs. non NUMA, etc.

    I (Maybe I'm the lonely rider?) want the technical quality back as delivered in the Windows Internals classes and books, that you and David Solomon provided :smile:  "PLEASE COME BACK" :hearteyes: , , , , , ,  and show the way to describe things, so we, the customers, understands it and get the opportunity to get the best out of the technology the Microsoft provides.

    Right now we are fighting to implement workarounds, waiting for the next release, that may (or may not) solve the issue.

    Also deploying CU every month without description of all included fixes to e.g. AzHCI, how should we, the customers, be able to prove we have change management, we can't.

    -Ib

     

     

  • Arpita Duppala's avatar
    Arpita Duppala
    Icon for Microsoft rankMicrosoft
    Jun 09, 2022

    IbTornoe : Sorry for the inconvenience it has caused, currently we do not support tagging Arc RG during registration workflow. It is in our backlog to support tagging the Arc RG in future release. Thank you for your feedback.

  • IbTornoe's avatar
    IbTornoe
    Copper Contributor
    Jun 09, 2022


    Just to follow up on the above:

    When it fails we see this.

    =======================================

    Write-ErrorLog : CreateResourceGroupFailed : Could not create resource group resourceId: subscriptions/77585cb5-cc1b-47a6-b60d-4c1ec4b078fc/resourceGroups/SYSHCL50-DK0-Arc. CorrelationId: 148081ec-6b6a-4d7e-ab8f-00a9cf0cbbe1 At C:\Program Files\WindowsPowerShell\Modules\Az.StackHCI\1.2.0\Az.StackHCI.psm1:2537 char:9 + Write-ErrorLog -Exception $_.Exception -Category OperationSto ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OperationStopped: (:) [Write-Error], ErrorResponseMessageException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.ErrorResponses.ErrorResponseMessageException,Write-ErrorLog

    Write-ErrorLog : Exception occurred in Register-AzStackHCI : At C:\Program Files\WindowsPowerShell\Modules\Az.StackHCI\1.2.0\Az.StackHCI.psm1:2492 char:35
    + ... $arcres = New-AzResource -ResourceId $arcResourceId -ApiVersion $HC ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    At C:\Program Files\WindowsPowerShell\Modules\Az.StackHCI\1.2.0\Az.StackHCI.psm1:2542 char:9
    + Write-ErrorLog ("Exception occurred in Register-AzStackHCI : ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OperationStopped: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Write-ErrorLog

    =======================================

     

    The line to pay attension to is this:

    Write-ErrorLog : Exception occurred in Register-AzStackHCI : At C:\Program Files\WindowsPowerShell\Modules\Az.StackHCI\1.2.0\Az.StackHCI.psm1:2492 char:35

     

    Lookin in the Az.StackHCI.psm1 at line 2492 we see

    $arcres = New-AzResource -ResourceId $arcResourceId -ApiVersion $HCIArcAPIVersion -PropertyObject $arcInstanceResourceGroup -Force

    And NO parsing on of Tags.

     

    We have temporarily disabled the Policy that requires Tags on RG's and then the Register-AzStackHCI ran through and created the RG for Arc

  • IbTornoe's avatar
    IbTornoe
    Copper Contributor
    Jun 08, 2022

    Just tried to register a AzHCI Cluster today.

    After a lot of issues we are now stuck where Register-AzStackHCI are creating the RG for Arc.

    We have a Policy that requires Tags to be created, but it seems that Register-AzStackHCI does not use the Tags configured on the commandline, and it is not supported to pre-create this RG

    From documantation:

    If you want to specify the name of the Arc for server resource group, use the additional parameter -ArcServerResourceGroupName <ArcRgName>. Note that the specified <ArcRgName> cannot pre-exist, it must be created by the HCI service.

    E.G.

    Register-AzStackHCI -SubscriptionId "1111111-1111-1111-1111-111111111111" -ComputerName Server1 -Tag @{AvailabilityHours= "4" ; Criticality= "Critical" ; EnvironmentType = "p" ; FinancialWorkPackageId = "12345" ; owner = "XYZ"}

     

    So we are in a sort of catch22 situation here . . . .