Contributor role is no longer assigned for a web app at the subscription level in Azure
This article describes a change that Contributor role is no longer assigned for a web application at the subscription level in Configuration Manager current branch version 1810 and later versions.
Original product version: Configuration Manager (current branch)
Original KB number: 4483868
Summary
Starting in Configuration Manager current branch version 1810, the classic service deployment in Azure is deprecated. When you create a cloud management gateway (CMG) by using the Azure Resource Manager (ARM) deployment type, Contributor role assignment is limited to resource groups when the service is deployed. Contributor role at the subscription level is no longer assigned for the web application. The web application will have only Read permission at the subscription level.
More information
For existing CMG cloud services, Contributor role assignment remains at the subscription level. If you want to restrict web application permissions at the subscription level, remove the Contributor role assignment at this level only. To do this, follow these steps:
Open the Access control (IAM) blade for the resource group, and verify that the application has the Contributor role assigned.
Open the IAM blade for the subscription, and then remove the Contributor role assignment for the application.
Note
Don't delete the web app completely from the subscription. If you do that, Configuration Manager loses some dependencies on Azure objects.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for