Azure Application Proxy ARM RBAC

Iron Contributor



I am currently configuring some initial PoC configurations for a customer for publishing a few different web apps using Azure App Proxy (AAP?) within ARM preview.


As is fully understandable, the client doesn't want to be providing full Global Admin rights to techs/app maintainers in order to facilitate publishing of new apps, or changes to publishing.


looking at the elements of AAP it appeared as though an RBAC role of 'Network Contributor' with AD Premium should provide the necessary permissions within Azure to perform all required tasks, however this results in "You don’t have access to this data. Please contact your global administrator to get access."


is there currently any combination of roles, or a custom subset of RBAC roles/rights that will allow AAP publishing configuration? is there any documentation to that effect currently, as i have been unable to find anything so far (sometimes my google skills fail me).


If the AAP function is currently being hamstrung in terms of security delegation by it bridging ASM and ARM, will this functionality be available when AAP in ARM is GA?


thanks in advance.

1 Reply

Great question! We're looking into this and will try to get an answer for you.