Azure VMware Solution identity concepts
Azure VMware Solution private clouds are provisioned with a vCenter Server and NSX-T Manager. You'll use vCenter to manage virtual machine (VM) workloads and NSX-T Manager to manage and extend the private cloud. The CloudAdmin role is used for vCenter and restricted administrator rights for NSX-T Manager.
vCenter access and identity
In Azure VMware Solution, vCenter has a built-in local user called cloudadmin assigned to the CloudAdmin role. You can configure users and groups in Active Directory (AD) with the CloudAdmin role for your private cloud. In general, the CloudAdmin role creates and manages workloads in your private cloud. But in Azure VMware Solution, the CloudAdmin role has vCenter privileges that differ from other VMware cloud solutions and on-premises deployments.
The local cloudadmin user should be treated as an emergency access account for "break glass" scenarios in your private cloud. It's not for daily administrative activities or integration with other services.
In a vCenter and ESXi on-premises deployment, the administrator has access to the vCenter email@example.com account. They can also have more AD users and groups assigned.
In an Azure VMware Solution deployment, the administrator doesn't have access to the administrator user account. They can, however, assign AD users and groups to the CloudAdmin role in vCenter. The CloudAdmin role doesn't have permissions to add an identity source like on-premises LDAP or LDAPS server to vCenter. However, you can use Run commands to add an identity source and assign cloudadmin role to users and groups.
The private cloud user doesn't have access to and can't configure specific management components Microsoft supports and manages. For example, clusters, hosts, datastores, and distributed virtual switches.
In Azure VMware Solution, the vsphere.local SSO domain is provided as a managed resource to support platform operations. It doesn't support the creation and management of local groups and users other than those provided by default with your private cloud.
Azure VMware Solution offers custom roles on vCenter but currently doesn't offer them on the Azure VMware Solution portal. For more information, see the Create custom roles on vCenter section later in this article.
View the vCenter privileges
You can view the privileges granted to the Azure VMware Solution CloudAdmin role on your Azure VMware Solution private cloud vCenter.
Sign in to the vSphere Client and go to Menu > Administration.
Under Access Control, select Roles.
From the list of roles, select CloudAdmin and then select Privileges.
The CloudAdmin role in Azure VMware Solution has the following privileges on vCenter. For more information, see the VMware product documentation.
Disable alarm action
Set alarm status
|Content Library||Add library item
Create a subscription for a published library
Create local library
Create subscribed library
Delete library item
Delete local library
Delete subscribed library
Delete subscription of a published library
Evict library items
Evict subscribed library
Probe subscription information
Publish a library item to its subscribers
Publish a library to its subscribers
Sync library item
Sync subscribed library
Update configuration settings
Update library item
Update local library
Update subscribed library
Update subscription of a published library
View configuration settings
|Cryptographic operations||Direct access|
Low-level file operations
Update virtual machine metadata
Manage custom attributes
Set custom attribute
|Profile||Profile driven storage view|
Assign vApp to resource pool
Assign virtual machine to resource pool
Create resource pool
Migrate powered off virtual machine
Migrate powered on virtual machine
Modify resource pool
Move resource pool
Remove resource pool
Rename resource pool
|Scheduled task||Create task
|vApp||Add virtual machine
Assign resource pool
View OVF environment
vApp application configuration
vApp instance configuration
vApp managedBy configuration
vApp resource configuration
|Virtual machine||Change Configuration
Acquire disk lease
Add existing disk
Add new disk
Add or remove device
Change CPU count
Change swapfile placement
Configure host USB device
Configure raw device
Display connection settings
Extend virtual disk
Modify device settings
Query fault tolerance compatibility
Query unowned files
Reload from paths
Reset guest information
Toggle disk change tracking
Toggle fork parent
Upgrade virtual machine compatibility
Create from existing
Guest operation alias modification
Guest operation alias query
Guest operation modifications
Guest operation program execution
Guest operation queries
Back up operation on virtual machine
Configure CD media
Configure floppy media
Defragment all disks
Drag and drop
Guest operating system management by VIX API
Inject USB HID scan codes
Install VMware tools
Pause or Unpause
Wipe or shrink operations
Record session on virtual machine
Replay session on virtual machine
Suspend fault tolerance
Test restart secondary VM
Turn off fault tolerance
Turn on fault tolerance
Allow disk access
Allow file access
Allow read-only disk access
Allow virtual machine download
Clone virtual machine
Create template from virtual machine
Mark as template
Modify customization specification
Read customization specifications
Allow polling of global event notifications
Manage service configuration
Modify service configuration
Query service configurations
Read service configuration
Reconfigure dependency configuration
|vSphere tagging||Assign and unassign vSphere tag
Create vSphere tag
Create vSphere tag category
Delete vSphere tag
Delete vSphere tag category
Edit vSphere tag
Edit vSphere tag category
Modify UsedBy field for category
Modify UsedBy field for tag
Create custom roles on vCenter
Azure VMware Solution supports the use of custom roles with equal or lesser privileges than the CloudAdmin role.
You'll use the CloudAdmin role to create, modify, or delete custom roles with privileges lesser than or equal to their current role. You can create roles with privileges greater than CloudAdmin, but you can't assign the role to any users or groups or delete the role.
To prevent creating roles that can't be assigned or deleted, clone the CloudAdmin role as the basis for creating new custom roles.
Create a custom role
Sign in to vCenter with firstname.lastname@example.org or a user with the CloudAdmin role.
Navigate to the Roles configuration section and select Menu > Administration > Access Control > Roles.
Select the CloudAdmin role and select the Clone role action icon.
Don't clone the Administrator role because you can't use it. Also, the custom role created can't be deleted by email@example.com.
Provide the name you want for the cloned role.
Add or remove privileges for the role and select OK. The cloned role is visible in the Roles list.
Apply a custom role
Navigate to the object that requires the added permission. For example, to apply permission to a folder, navigate to Menu > VMs and Templates > Folder Name.
Right-click the object and select Add Permission.
Select the Identity Source in the User drop-down where the group or user can be found.
Search for the user or group after selecting the Identity Source under the User section.
Select the role that you want to apply to the user or group.
Check the Propagate to children if needed, and select OK. The added permission displays in the Permissions section.
NSX-T Manager access and identity
NSX-T 3.1.2 is currently supported for all new private clouds.
Use the admin account to access NSX-T Manager. It has full privileges and lets you create and manage Tier-1 (T1) gateways, segments (logical switches), and all services. In addition, the privileges give you access to the NSX-T Tier-0 (T0) gateway. A change to the T0 gateway could result in degraded network performance or no private cloud access. Open a support request in the Azure portal to request any changes to your NSX-T T0 gateway.
Now that you've covered Azure VMware Solution access and identity concepts, you may want to learn about: