Azure VMware Solution - privileges access to ESXi and vCenter in AVS ?

Question

Hi. In this (https://learn.microsoft.com/en-us/azure/azure-vmware/concepts-identity) document, we don't have clear statement about rights for AVS because:

According vCenter we have different information in sentences:

• "...vCenter Server has a built-in local user called cloudadmin assigned to the CloudAdmin role"
  -"...In a vCenter Server and ESXi on-premises deployment, the administrator has access to the vCenter Server administrator@vsphere.local account...."

According to access to physical ESXi:

• "...the administrator has access to the vCenter Server administrator@vsphere.local account and the ESXi root account.."
• "...In an Azure VMware Solution deployment, the administrator doesn't have access to the administrator user account or the ESXi root account..."

In above two cases, information is not clear.

My use case is important for me because i would like advice in correct way for customers in case when they would like for example install some additional 3rd party plugin on vCenter. for example for backup management.

Base on above:

Question1:
Which sentences are true ?

Question2:
If escalate request https://learn.microsoft.com/en-us/azure/vmware-cloudsimple/escalate-private-cloud-privileges was possible only in previous version AVS ? from Cloudsimple ? If YES then if current rights are enough to install by customer some 3rd party plugins if need it (example: backup , replication software) ?

Sebastian

Answer 1

Hello @Sebastian Grugel ,

Thank you for sharing the document link. Happy to answer your question.

Answering Specific Questions:

Question1:
Which sentences are true?
Both statements are correct. These statements are specific to Azure VMware solution vx on-premises vCenter/ESX deployment.

The first statement talking about the local cloudadmin user. This user should be treated as an emergency access account for "break glass" scenarios in your private cloud. It's not for daily administrative activities or integration with other services.
In general, the CloudAdmin role creates and manages workloads in your private cloud. But in Azure VMware Solution, the CloudAdmin role has vCenter Server privileges that differ from other VMware cloud solutions and on-premises deployments.
We can say CloudAdmin user is some what to vcenter administrator account for azure vmware solution but not equivalent.

(In on prem context)- In a vCenter Server and ESXi on-premises deployment, the administrator has access to the vCenter Server administrator@vsphere.local account and the ESXi root account.

In an Azure VMware Solution deployment- The administrator doesn't have access to the administrator user account or the ESXi root account. They can, however, assign AD users and groups to the CloudAdmin role in vCenter Server

Question2:
If escalate request https://learn.microsoft.com/en-us/azure/vmware-cloudsimple/escalate-private-cloud-privileges was possible only in previous version AVS ? from Cloudsimple ? If YES then if current rights are enough to install by customer some 3rd party plugins if need it (example: backup , replication software) ?

The local CloudAdmin has most vCenter server previleges, since backup and replication agents/plugins installation are one time tasks, they could use this account or they can create a custom roles and assign equal or lesser privileges than the CloudAdmin role and provide this role access to admins that are involved in configuring backup/replication.
For details refer to https://learn.microsoft.com/en-us/azure/azure-vmware/concepts-identity#create-custom-roles-on-vcenter-server.

Note: Azure VMware Solution offers custom roles on vCenter Server but currently doesn't offer them on the Azure VMware Solution portal. For more information, see the Create custom roles on vCenter Server section later in this article.

Please "Accept as Answer" and Upvote if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.