Edit

Share gallery resources across subscriptions and tenants with RBAC

  • Article

As the Azure Compute Gallery, definition, and version are all resources, they can be shared using the built-in native Azure Roles-based Access Control (RBAC) roles. Using Azure RBAC roles you can share these resources to other users, service principals, and groups. You can even share access to individuals outside of the tenant they were created within. Once a user has access, they can use the gallery resources to deploy a VM or a Virtual Machine Scale Set. Here's the sharing matrix that helps understand what the user gets access to:

Shared with User Azure Compute Gallery Image Definition Image version
Azure Compute Gallery Yes Yes Yes
Image Definition No Yes Yes

We recommend sharing at the Gallery level for the best experience. We don't recommend sharing individual image versions. For more information about Azure RBAC, see Assign Azure roles.

There are three main ways to share images in an Azure Compute Gallery, depending on who you want to share with:

Sharing with: People Groups Service Principal All users in a specific subscription (or) tenant Publicly with all users in Azure
RBAC Sharing Yes Yes Yes No No
RBAC + Direct shared gallery Yes Yes Yes Yes No
RBAC + Community gallery Yes Yes Yes No Yes

You can also create an App registration to share images between tenants.

Note

Please note that Images can be used with read permissions on them to deploy virtual machines and disks.

When utilizing the direct shared gallery, images are distributed widely to all users in a subscription/tenant, while the community gallery distributes images publicly. It is recommended to exercise caution when sharing images that contain intellectual property to prevent widespread distribution.

Share using RBAC

When you share a gallery using RBAC, you need to provide the imageID to anyone creating a VM or scale set from the image. There is no way for the person deploying the VM or scale set to list the images that were shared to them using RBAC.

If you share gallery resources to someone outside of your Azure tenant, they will need your tenantID to log in and have Azure verify they have access to the resource before they can use it within their own tenant. You will need to provide them with your tenantID, there is no way for someone outside your organization to query for your tenantID.

Important

RBAC sharing can be used to share resources with users within the organization (or) users outside the organization (cross-tenant). Here are the instructions to consume an image shared with RBAC and create VM/VMSS:

RBAC - Shared within your organization

RBAC - Shared from another tenant

  1. On the page for your gallery, in the menu on the left, select Access control (IAM).
  2. Under Add a role assignment, select Add. The Add a role assignment pane will open.
  3. Under Role, select Reader.
  4. Under assign access to, leave the default of Microsoft Entra user, group, or service principal.
  5. Under Select, type in the email address of the person that you would like to invite.
  6. If the user is outside of your organization, you'll see the message This user will be sent an email that enables them to collaborate with Microsoft. Select the user with the email address and then click Save.

Next steps