Skip to content

Commit 2afb503

Browse files
authored
Merge pull request #85759 from aalewismsft/patch-2
Updated "Configure role assignments" section
2 parents 1dd7057 + 5fc7232 commit 2afb503

File tree

1 file changed

+5
-3
lines changed

1 file changed

+5
-3
lines changed

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -164,7 +164,7 @@ Now that you've created the VM, you need to configure Azure RBAC policy to deter
164164
- **Virtual Machine User Login**: Users with this role assigned can log in to an Azure virtual machine with regular user privileges.
165165

166166
> [!NOTE]
167-
> To allow a user to log in to the VM over RDP, you must assign either the Virtual Machine Administrator Login or Virtual Machine User Login role. An Azure user with the Owner or Contributor roles assigned for a VM do not automatically have privileges to log in to the VM over RDP. This is to provide audited separation between the set of people who control virtual machines versus the set of people who can access virtual machines.
167+
> To allow a user to log in to the VM over RDP, you must assign either the Virtual Machine Administrator Login or Virtual Machine User Login role to the Resource Group containing the VM and its associated Virtual Network, Network Interface, Public IP Address or Load Balancer resources. An Azure user with the Owner or Contributor roles assigned for a VM do not automatically have privileges to log in to the VM over RDP. This is to provide audited separation between the set of people who control virtual machines versus the set of people who can access virtual machines.
168168
169169
There are multiple ways you can configure role assignments for VM:
170170

@@ -178,6 +178,8 @@ There are multiple ways you can configure role assignments for VM:
178178

179179
To configure role assignments for your Azure AD enabled Windows Server 2019 Datacenter VMs:
180180

181+
1. Select the **Resource Group** containing the VM and its associated Virtual Network, Network Interface, Public IP Address or Load Balancer resource.
182+
181183
1. Select **Access control (IAM)**.
182184

183185
1. Select **Add** > **Add role assignment** to open the Add role assignment page.
@@ -197,12 +199,12 @@ The following example uses [az role assignment create](/cli/azure/role/assignmen
197199

198200
```AzureCLI
199201
$username=$(az account show --query user.name --output tsv)
200-
$vm=$(az vm show --resource-group myResourceGroup --name myVM --query id -o tsv)
202+
$rg=$(az group show --resource-group myResourceGroup --query id -o tsv)
201203
202204
az role assignment create \
203205
--role "Virtual Machine Administrator Login" \
204206
--assignee $username \
205-
--scope $vm
207+
--scope $rg
206208
```
207209

208210
> [!NOTE]

0 commit comments

Comments
 (0)