How to manage Azure user groups and permissions
UKCloud for Microsoft Azure provides you with three default user groups to get you started:
AzureStackOperators - Members of this group have Owner permissions and have full access to all resources and can manage access to resources
AzureStackUsers - Members of this group have Contributor permissions and can create and manage all resources but cannot manage access to resources
AzureStackReadOnly - Members of this group have Reader permissions and can view everything but cannot make changes
If these default groups do not meet your requirements, for example, if you've created a custom role and want to grant users the permissions specified by that role, you can create new groups and assign roles and permissions to them.
To complete the steps in this guide you must have global administrator access to the Azure portal and Owner access to the UKCloud Azure Stack Hub portal.
Creating a group for Azure users
Rather than granting permissions to individual users, we recommend that you first create a group and add your Azure users to that group.
To create a group in the Azure portal:
Log in to the public Azure portal as a global administrator.
For help with identifying your Azure global administrators, see here
Navigate to the Azure Active Directory.
You can find the Azure Active Directory by selecting All services and scrolling down to the Security + Identity section.
Select Groups and then All groups.
Click the New group option.
From the Group type list, select Security.
In the Group name field, enter a name for the group, for example,
In the Group description field, enter a brief, but meaningful description for the group.
There are two possible options for the Membership type field: Assigned or Dynamic.
The Dynamic option requires at least a Premium P1 license in Azure AD. If you do not meet this requirement, the dropdown is automatically set to Assigned and you will not be able to select the Dynamic option.
To add users to the group, open the group, select Members then click Add members.
Granting Azure permissions
After setting up the user group in Azure, you need to go to the UKCloud Azure Stack Hub portal to grant the appropriate permissions to the group.
To grant Azure permissions to a group:
Log in to the UKCloud Azure Stack Hub portal.
Navigate to Subscriptions.
If you can't see Subscriptions in your favourites panel, click All services and then Subscriptions. You can add Subscriptions to your favourites panel by clicking the star icon.
Select your subscription for UKCloud for Microsoft Azure.
Select Access control (IAM).
Click the Add option, then click Add role assignment.
From the Role list, select the appropriate role that you want to assign to the group.
In the Select field, enter the name of the group you created in Creating a group for Azure users.
For more information about Azure Stack Hub, see the following Microsoft resources:
For more information about UKCloud for Microsoft Azure, see:
If you find a problem with this article, click Improve this Doc to make the change yourself or raise an issue in GitHub. If you have an idea for how we could improve any of our services, send an email to firstname.lastname@example.org.