Contributor role is no longer assigned for a web app at the subscription level in Azure

Applies to: System Center Configuration Manager (current branch - version 1810)

Summary


Starting in System Center Configuration Manager current branch version 1810, the classic service deployment in Azure is deprecated. When you create a cloud management gateway (CMG) by using the Azure Resource Manager (ARM) deployment type, Contributor role assignment is limited to resource groups when the service is deployed. Contributor role at the subscription level is no longer assigned for the web application. The web application will have only Read permission at the subscription level. 

More Information


For existing CMG cloud services, Contributor role assignment remains at the subscription level. If you want to restrict web application permissions at the subscription level, remove the Contributor role assignment at this level only. To do this, follow these steps:

  1. Open the Access control (IAM) blade for the resource group, and verify that the application has the CONTRIBUTOR role assigned.

    Access control in resource group
  2. Open the IAM blade for the subscription, and then remove the CONTRIBUTOR role assignment for the application.

    Access control in subscription

Note Don't delete the web app completely from the subscription. If you do that, Configuration Manager loses some dependencies on Azure objects.