You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/governance/blueprints/overview.md
+10-3Lines changed: 10 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -139,23 +139,30 @@ To delete blueprints, your account needs the following permissions:
139
139
-`Microsoft.Blueprint/blueprints/versions/delete`
140
140
141
141
> [!NOTE]
142
-
> The blueprint definition permissions must be granted or inherited on the management group or subscription scope where it is saved.
142
+
> The blueprint definition permissions must be granted or inherited on the management group or
143
+
> subscription scope where it is saved.
143
144
144
145
To assign or unassign a blueprint, your account needs the following permissions:
145
146
146
147
-`Microsoft.Blueprint/blueprintAssignments/write` - Assign a blueprint
147
148
-`Microsoft.Blueprint/blueprintAssignments/delete` - Unassign a blueprint
148
149
149
150
> [!NOTE]
150
-
> As blueprint assignments are created on a subscription, the blueprint assign and unassign permissions must be granted on a subscription scope or be inherited onto a subscription scope.
151
+
> As blueprint assignments are created on a subscription, the blueprint assign and unassign
152
+
> permissions must be granted on a subscription scope or be inherited onto a subscription scope.
151
153
152
154
All of the above permissions are included in the **Owner** role. The **Contributor** role has
153
155
create blueprint and delete blueprint permissions, but does not have blueprint assignment
154
156
permissions. If these built-in roles don't fit your security needs, consider creating a [custom
> The service principal for Azure Blueprint requires the **Owner** role on the assigned subscription in order to enable deployment. If using the portal, this role is automatically granted and revoked for the deployment. If using the REST API, this role must be manually granted, but is still automatically revoked after the deployment completes.
160
+
> If using a system-assigned managed identity, the service principal for Azure Blueprint requires
161
+
> the **Owner** role on the assigned subscription in order to enable deployment. If using the
162
+
> portal, this role is automatically granted and revoked for the deployment. If using the REST API,
163
+
> this role must be manually granted, but is still automatically revoked after the deployment
164
+
> completes. If using a user-assigned managed identity, only the user creating the blueprint
0 commit comments