How to manage Azure user groups and permissions
UKCloud for Microsoft Azure provides you with three default user groups to get you started:
AzureStackOperators - Members of this group have Owner permissions and have full access to all resources and can manage access to resources
AzureStackUsers - Members of this group have Contributor permissions and can create and manage all resources but cannot manage access to resources
AzureStackReadOnly - Members of this group have Reader permissions and can view everything but cannot make changes
If these default groups do not meet your requirements, for example, if you've created a custom role and want to grant users the permissions specified by that role, you can create new groups and assign roles and permissions to them.
To complete the steps in this guide you must have global administrator access to the Azure portal and Owner access to the Azure Stack portal.
Creating a group for Azure users
Rather than granting permissions to individual users, we recommend that you first create a group and add your Azure users to that group.
To create a group in the Azure portal:
Log in to the Azure portal as a global administrator:
Navigate to the Azure Active Directory.
You can find the Azure Active Directory by selecting All services and scrolling down to the Security + Identity section.
Select Groups and then All groups.
Click the New group option.
From the Group type list, select Security.
In the Group name field, enter a name for the group, for example,
In the Group description field, enter a brief, but meaningful description for the group.
From the Membership type list, select Assigned.
To add users to the group, open the group, select Members then click Add members.
Granting Azure permissions
After setting up the user group in Azure, you need to go to the Azure Stack portal to grant the appropriate permissions to the group.
To grant Azure permissions to a group:
Log in to the Azure Stack portal:
Navigate to Subscriptions.
If you can't see Subscriptions in your favourites panel, click More services and then Subscriptions. You can add Subscriptions to your favourites panel by clicking the star icon.
Select your subscription for UKCloud for Microsoft Azure.
Select Access control (IAM).
Click the Add option.
From the Role list, select the appropriate role that you want to assign to the group.
In the Select field, enter the name of the group you created in Creating a group for UKCloud for Microsoft Azure users.
For more information about Azure Stack, see the following Microsoft resources:
For more information about UKCloud for Microsoft Azure, see:
If you have any comments on this document or any other aspect of your UKCloud experience, send them to firstname.lastname@example.org.