Edit

Share via


Roles and permissions in Azure Update Manager

To manage an Azure VM or an Azure Arc-enabled server using Azure Update Manager, you must have the appropriate roles assigned. You can either use predefined roles or create custom roles with the specific permissions you need. For more information, see the permissions.

Roles

The built-in roles provide blanket permissions on a virtual machine, which includes all Azure Update Manager permissions as well.

Resource Role
Azure VM Azure Virtual Machine Contributor or Azure Owner.
Azure Arc-enabled server Azure Connected Machine Resource Administrator

Permissions

You need the following permissions to manage update operations. The following table shows the permissions that are needed when you use Update Manager. You can create a custom role and assign only the desired permissions to that role so that only permissions for specific actions are provided as per need.

Read permissions for Update Manager to view Update Manager data

Actions Permission Scope
Read Azure VM properties Microsoft.Compute/virtualMachines/read
Read assessment data for Azure VMs Microsoft.Compute/virtualMachines/patchAssessmentResults/read
Microsoft.Compute/virtualMachines/patchAssessmentResults/softwarePatches/read
Read patch installation data for Azure VMs Microsoft.Compute/virtualMachines/patchInstallationResults/read
Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read
Read Azure Arc-enabled server properties Microsoft.HybridCompute/machines/read
Read assessment data for Azure Arc-enabled server Microsoft.HybridCompute/machines/patchAssessmentResults/read
Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read
Read patch installation data for Azure Arc-enabled server Microsoft.HybridCompute/machines/patchInstallationResults/read
Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read
Get the status of an asynchronous operation for Azure Virtual machine Microsoft.Compute/locations/operations/read Machine subscription
Read the status of an update center operation on Arc machines Microsoft.HybridCompute/locations/updateCenterOperationResults/read Machine subscription

Permissions to perform on-demand actions in Azure Update Manager

Note that following permissions would be required in addition to read permissions documented above on individual machines on which on-demand operations are performed.

Actions Permission Scope
Trigger assessment on Azure VMs Microsoft.Compute/virtualMachines/assessPatches/action
Install update on Azure VMs Microsoft.Compute/virtualMachines/installPatches/action
Get the status of an asynchronous operation for Azure Virtual machine Microsoft.Compute/locations/operations/read Machine subscription
Trigger assessment on Azure Arc-enabled server Microsoft.HybridCompute/machines/assessPatches/action
Install update on Azure Arc-enabled server Microsoft.HybridCompute/machines/installPatches/action
Read the status of an update center operation on Arc machines Microsoft.HybridCompute/locations/updateCenterOperationResults/read Machine subscription
Update patch mode / assessment mode for Azure Virtual Machines Microsoft.Compute/virtualMachines/write Machine
Update assessment mode for Arc Machines Microsoft.HybridCompute/machines/write Machine

Note that below permissions are required in addition to permissions on individual machines, which are managed by the schedules.

Actions Permission Scope
Register the subscription for the Microsoft.Maintenance resource provider Microsoft.Maintenance/register/action Subscription
Create/modify maintenance configuration Microsoft.Maintenance/maintenanceConfigurations/write Subscription/resource group
Read maintenance configuration Microsoft.Maintenance/maintenanceConfigurations/read Subscription/resource group
Delete maintenance configuration Microsoft.Maintenance/maintenanceConfigurations/delete Subscription/resource group
Create/modify configuration assignments Microsoft.Maintenance/configurationAssignments/write Subscription/Resource group / machine
Read configuration assignments Microsoft.Maintenance/configurationAssignments/read Subscription/Resource group / machine
Delete configuration assignments Microsoft.Maintenance/configurationAssignments/delete Subscription/Resource group / machine
Read maintenance updates resource Microsoft.Maintenance/updates/read Machine
Read maintenance apply updates resource Microsoft.Maintenance/applyUpdates/read Machine
Get list of update deployment Microsoft.Resources/deployments/read Maintenance configuration and virtual machine subscription
Create or update an update deployment Microsoft.Resources/deployments/write Maintenance configuration and virtual machine subscription
Get a list of update deployment operation statuses Microsoft.Resources/deployments/operationstatuses Maintenance configuration and virtual machine subscription
Read maintenance configuration assignment for InGuestPatch maintenance scope Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/read Subscription/Resource group / machine
Create/modify maintenance configuration assignment for InGuestPatch maintenance scope Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/write Subscription/Resource group / machine
Delete maintenance configuration assignment for InGuestPatch maintenance scope Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/delete Subscription/Resource group / machine
Read maintenance configuration for InGuestPatch maintenance scope Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/read Subscription/resource group
Create/modify maintenance configuration for InGuestPatch maintenance scope Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/write Subscription/resource group
Delete maintenance configuration for InGuestPatch maintenance scope Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/delete Subscription/resource group

Next steps