Merge pull request #292731 from siddomala/SneakyPawUpdates

v-shils · web-flow · commit f22fca6c09ab · 2025-01-08T12:16:26.000-08:00
Permissions Update
diff --git a/articles/route-server/troubleshoot-route-server.md b/articles/route-server/troubleshoot-route-server.md
@@ -95,6 +95,14 @@ Azure Route Server drops routes with an ASN of 0 in the AS-Path. To ensure these
 
 When you advertise the same routes from your on-premises network to Azure over multiple ExpressRoute connections, normally ECMP is enabled by default for the traffic destined for these routes from Azure back to your on-premises network. Currently, when you deploy the Route Server, multiple-path information is lost in the BGP exchange between ExpressRoute and the Route Server, and consequently traffic from Azure will traverse only on one of the ExpressRoute connections.
 
+## Operational Issues
+
+### Why am I seeing an error about invalid scope and authorization to perform Route Server operations?
+
+If you see an error in the below format, then please make sure you have the following permissions configured: [Route Server Roles and Permissions](roles-permissions.md#permissions)
+
+Error message format: "The client with object id {} does not have authorization to perform action {} over scope {} or the scope is invalid. If access was recently granted, please refresh your credentials."
+
 ## Next step
 
 To learn how to create and configure Azure Route Server, see:
diff --git a/articles/virtual-wan/roles-permissions.md b/articles/virtual-wan/roles-permissions.md
@@ -4,7 +4,7 @@ titleSuffix: Azure Virtual WAN
 description: Learn about roles and permissions for a Virtual WAN Hub.
 author: siddomala
 ms.service: azure-virtual-wan
-ms.topic: concept-article
+ms.topic: conceptual
 ms.date: 12/13/2024
 ms.author: cherylmc
 
@@ -16,7 +16,8 @@ Because of this, it's essential to verify permissions on all involved resources
 
 ## Azure built-in roles
 
-You can choose to assign [Azure built-in roles](../role-based-access-control/built-in-roles.md) to a user, group, service principal, or managed identity such as [Network contributor](../role-based-access-control/built-in-roles.md#network-contributor), which support all the required permissions for creating the gateway.
+You can choose to assign [Azure built-in roles](../role-based-access-control/built-in-roles.md) to a user, group, service principal, or managed identity such as [Network contributor](../role-based-access-control/built-in-roles.md#network-contributor), which support all the required permissions for creating resources related to Virtual WAN.
+
 For more information, see [Steps to assign an Azure role](../role-based-access-control/role-assignments-steps.md).
 
 ## Custom roles
@@ -25,16 +26,107 @@ If the [Azure built-in roles](../role-based-access-control/built-in-roles.md) do
 Just like built-in roles, you can assign custom roles to users, groups, and service principals at management group, subscription, and resource group scopes.
 For more information, see [Steps to create a custom role](../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role)  .
 
-To ensure proper functionality, check your custom role permissions to confirm user service principals, and managed identities operating the VPN gateway have the necessary permissions.
+To ensure proper functionality, check your custom role permissions to confirm user service principals, and managed identities interacting with Virtual WAN have the necessary permissions.
 To add any missing permissions listed here, see [Update a custom role](../role-based-access-control/custom-roles-portal.md#update-a-custom-role).
 
-## Permissions
+The following custom roles are a few example roles you can create in your tenant if you don't want to leverage more generic built-in roles such as Network Contributor or Contributor. 
+
+### Virtual WAN Administrator
+
+The Virtual WAN Administrator role has the ability to perform all operations related to the Virtual Hub, including managing connections to Virtual WAN and configuring routing.
+
+```
+{
+  "Name": "Virtual WAN Administrator",
+  "IsCustom": true,
+  "Description": "Can perform all operations related to the Virtual WAN, including managing connections to Virtual WAN and configuring routing in each hub.",
+  "Actions": [
+    "Microsoft.Network/virtualWans/*",
+    "Microsoft.Network/virtualHubs/*",
+    "Microsoft.Network/azureFirewalls/read",
+    "Microsoft.Network/networkVirtualAppliances/*/read",
+    "Microsoft.Network/securityPartnerProviders/*/read",
+    "Microsoft.Network/expressRouteGateways/*",
+    "Microsoft.Network/vpnGateways/*",
+    "Microsoft.Network/p2sVpnGateways/*",
+    "Microsoft.Network/virtualNetworks/peer/action"
+
+  ],
+  "NotActions": [],
+  "DataActions": [],
+  "NotDataActions": [],
+  "AssignableScopes": [
+    "/subscriptions/{subscriptionId1}",
+    "/subscriptions/{subscriptionId2}"
+  ]
+}
+```
+
+### Virtual WAN Reader
+
+The Virtual WAN reader role has the ability to view and monitor all Virtual WAN-related resources, but can't perform any updates.
+
+```
+{
+  "Name": "Virtual WAN Reader",
+  "IsCustom": true,
+  "Description": "Can read and monitor all Virtual WAN resources, but cannot modify Virtual WAN resources.",
+  "Actions": [
+    "Microsoft.Network/virtualWans/*/read",
+    "Microsoft.Network/virtualHubs/*/read",
+    "Microsoft.Network/expressRouteGateways/*/read",
+    "Microsoft.Network/vpnGateways/*/read",
+    "Microsoft.Network/p2sVpnGateways/*/read"
+    "Microsoft.Network/networkVirtualAppliances/*/read
+  ],
+  "NotActions": [],
+  "DataActions": [],
+  "NotDataActions": [],
+  "AssignableScopes": [
+    "/subscriptions/{subscriptionId1}",
+    "/subscriptions/{subscriptionId2}"
+  ]
+}
+```
+## Required Permissions
+
+Creating or updating Virtual WAN resources requires you to have the proper permission(s) to create that Virtual WAN resource type. In some scenarios, having permissions to create or update that resource type is sufficient. However, in many scenarios, updating a Virtual WAN resource that has a **reference** to another Azure resource requires you to have permissions over both the created resource **and** any referenced resources.
+
+### Example 1
+
+When a connection is created between a Virtual WAN hub and a spoke Virtual Network, Virtual WAN's control plane creates a Virtual Network peering between the Virtual WAN hub and your spoke Virtual Network. You can also specify the Virtual WAN route tables to which the Virtual Network connection is associating to or propagating to.
+
+Therefore, to create a Virtual Network connection to the Virtual WAN hub, you must have the following permissions:
+
+* Create a Hub Virtual Network connection (Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/write)
+* Create a Virtual Network peering with the spoke Virtual Network (Microsoft.Network/virtualNetworks/peer/action)
+* Read the route table(s) that the Virtual Network connections are referencing (Microsoft.Network/virtualhubs/hubRouteTables/read)
 
-When creating or updating the resources below, add the appropriate permissions from the following list:
+If you want to associate an inbound or out-bound route map is associated with the Virtual Network connection, you need an additional permission:
+
+* Read the route map(s) that is applied to the Virtual Network connection (Microsoft.Network/virtualHubs/routeMaps/read).
+
+### Example 2
+
+To create or modify routing intent, a routing intent resource is created with a reference to the next hop resources specified in the routing intent's routing policy. This means that to create or modify routing intent, you need permissions over any referenced Azure Firewall or Network Virtual Appliance resource(s).
+
+If the next hop for a hub's private routing intent policy is a Network Virtual Appliance and the next hop for a hub's internet policy is an Azure Firewall, creating or updating a routing intent resource requires the following permissions.
+
+* Create routing intent resource. (Microsoft.Network/virtualhubs/routingIntents/write)
+* Reference (read) the Network Virtual Appliance resource (Microsoft.Network/networkVirtualAppliances/read)
+* Reference (read) the Azure Firewall resource (Microsoft.Network/azureFirewalls)
+
+In this example, you do **not** need permissions to read Microsoft.Network/securityPartnerProviders resources because the routing intent configured does not reference a third-party security provider resource.
+
+## Additional permissions required due to referenced resources
+
+The following section describes the set of possible permissions that are needed to create or modify Virtual WAN resources.
+
+Depending on your Virtual WAN configuration, the user or service principal that is managing your Virtual WAN deployments may need all, a subset or none of the below permissions. 
 
 ### Virtual hub resources
 
-|Resource | Required Azure permissions |
+|Resource | Required Azure permissions due to resource references |
 |---|---|
 | virtualHubs | Microsoft.Network/virtualNetworks/peer/action <br>Microsoft.Network/virtualWans/join/action  |
 | virtualHubs/hubVirtualNetworkConnections | Microsoft.Network/virtualNetworks/peer/action <br>Microsoft.Network/virtualHubs/routeMaps/read <br>Microsoft.Network/virtualHubs/hubRouteTables/read |
@@ -44,26 +136,27 @@ When creating or updating the resources below, add the appropriate permissions f
 
 ### ExpressRoute gateway resources
 
-|Resource | Required Azure permissions |
+|Resource | Required Azure permissions due to resource references |
 |---|---|
 | expressroutegateways | Microsoft.Network/virtualHubs/read  <br>Microsoft.Network/virtualHubs/hubRouteTables/read <br>Microsoft.Network/virtualHubs/routeMaps/read <br>Microsoft.Network/expressRouteGateways/expressRouteConnections/read <br>Microsoft.Network/expressRouteCircuits/join/action |
 | expressRouteGateways/expressRouteConnections | Microsoft.Network/virtualHubs/hubRouteTables/read <br>Microsoft.Network/virtualHubs/routeMaps/read <br>Microsoft.Network/expressRouteCircuits/join/action | 
 
 
 ### VPN resources
 
-|Resource | Required Azure permissions |
+|Resource | Required Azure permissions due to resource references |
 |---|---|
 | p2svpngateways  | Microsoft.Network/virtualHubs/read  <br>Microsoft.Network/virtualHubs/hubRouteTables/read <br>Microsoft.Network/virtualHubs/routeMaps/read <br>Microsoft.Network/vpnServerConfigurations/read  |
 | p2sVpnGateways/p2sConnectionConfigurations  | Microsoft.Network/virtualHubs/hubRouteTables/read <br>Microsoft.Network/virtualHubs/routeMaps/read | 
-| vpngateways  | Microsoft.Network/virtualHubs/read  <br>Microsoft.Network/virtualHubs/hubRouteTables/read <br>Microsoft.Network/virtualHubs/routeMaps/read <br>Microsoft.Network/vpnGateways/vpnConnections/read | 
+| vpnGateways  | Microsoft.Network/virtualHubs/read  <br>Microsoft.Network/virtualHubs/hubRouteTables/read <br>Microsoft.Network/virtualHubs/routeMaps/read <br>Microsoft.Network/vpnGateways/vpnConnections/read | 
 | vpnsites  | Microsoft.Network/virtualWans/read  | 
+| vpnGateways/vpnConnections | Microsoft.Network/virtualHubs/read <br>Microsoft.Network/virtualHubs/hubRouteTables/read <br>Microsoft.Network/virtualHubs/routeMaps/read |
 
 ### NVA resources
 
 NVAs (Network Virtual Appliances) in Virtual WAN are typically deployed through Azure managed applications or directly via NVA orchestration software. For more information on how to properly assign permissions to managed applications or NVA orchestration software, see instructions [here](https://aka.ms/nvadeployment).
 
-|Resource | Required Azure permissions |
+|Resource | Required Azure permissions due to resource references |
 |---|---|
 | networkVirtualAppliances  | Microsoft.Network/virtualHubs/read  |
 | networkVirtualAppliances/networkVirtualApplianceConnections  | Microsoft.Network/virtualHubs/routeMaps/read <br>Microsoft.Network/virtualHubs/hubRouteTables/read | 
@@ -83,6 +176,12 @@ For more information, see [Scope levels](../role-based-access-control/scope-over
 > [!NOTE]
 > Allow sufficient time for [Azure Resource Manager cache](../role-based-access-control/troubleshooting.md) to refresh after role assignment changes.
 
+## Permissions Error 
+
+If you see an error in the following format, then please make sure you have the above permissions properly configured. 
+
+Error message format: "The client with object id {} does not have authorization to perform action {} over scope {} or the scope is invalid. If access was recently granted, please refresh your credentials."
+
 ## Additional services
 
 To view roles and permissions for other services, see the following links:
diff --git a/articles/virtual-wan/virtual-wan-faq.md b/articles/virtual-wan/virtual-wan-faq.md
@@ -32,6 +32,12 @@ Virtual WAN partners provide automation for connectivity, which is the ability t
 
 Virtual WAN comes in two flavors: Basic and Standard. In Basic Virtual WAN, hubs aren't meshed. In a Standard Virtual WAN, hubs are meshed and automatically connected when the virtual WAN is first set up. The user doesn't need to do anything specific. The user also doesn't have to disable or enable the functionality to obtain meshed hubs. Virtual WAN provides you with many routing options to steer traffic between any spoke (VNet, VPN, or ExpressRoute). It provides the ease of fully meshed hubs, and also the flexibility of routing traffic per your needs.
 
+### Why am I seeing an error about invalid scope and authorization to perform operations on Virtual WAN resources?
+
+If you see an error in the below format, then please make sure you have the following permissions configured: [Virtual WAN Roles and Permissions](roles-permissions.md#required-permissions)
+
+Error message format: "The client with object id {} does not have authorization to perform action {} over scope {} or the scope is invalid. If access was recently granted, please refresh your credentials."
+
 ### How are Availability Zones and resiliency handled in Virtual WAN?
 
 Virtual WAN is a collection of hubs and services made available inside the hub. The user can have as many Virtual WAN per their need. In a Virtual WAN hub, there are multiple services like VPN, ExpressRoute etc. Each of these services is automatically deployed across Availability Zones (except Azure Firewall), if the region supports Availability Zones. If a region becomes an Availability Zone after the initial deployment in the hub, the user can recreate the gateways, which will trigger an Availability Zone deployment. All gateways are provisioned in a hub as active-active, implying there's resiliency built in within a hub. Users can connect to multiple hubs if they want resiliency across regions.
