In Azure as a Resource Group contributor why can't I create Storage Accounts and what should be done to prevent this situation?

Question

A Subscription admin at a customer granted me (an MS account) Contributor role on one of their Resource Groups.

When I try to create a Storage Account in that Resou

Answer 1

I logged into the Subscription via Powershell and listed the available providers, and found that most are not registered. When I try to register, I get that error.

The reason you're getting this error is because th Subscription Administrator has put you in Contributor role on a particular resource group. They have not granted you any permission on Microsoft.Storage resource provider. In order for you to register the subscription with this resource, you would need Write permission on Microsoft.Storage resource provider.

You can either ask your Subscription Administrator to give you appropriate permissions or they can register the subscription with that resource provider.

UPDATE - Follow Up Questions

my understanding was that Contributor role simply allowed the specified user to create resources in the group.

Your understanding is correct. With a Contributor role in a resource group, you should be able to create resources in there.

At one point in this role assignment does the Subscription administrator specify which resources can be created and which not? Or is it that the limitation is somehow on the way the Subscription is set up?

Well yes and no. So if you're assigned some blanket role like Contributor you should be able to create any kind of resources. However with Custom Roles, an administrator can get super creative and only allow you to create resources of a certain kind. However the Subscription should be registered with a resource provider before a resource of a kind can be created.

The way I understand this whole thing is structured is that each product team in Azure is responsible for providing their own functionality. The central point in all of this is Azure Resource Manager which provides amongst other things Role-based Access Control.

Let's take Azure Storage for example. The functionality to interact with storage accounts (from management perspective like creation, deletion etc.) is provided by Storage Team using something called Storage Resource Provider (SRP). So if you look closely, there's a resource provider for each and every feature. For reasons unknown to me, not all resource providers are available to you by default (could be the cost reason) and a Subscription Administrator must register his/her Subscription with that resource provider so that resources of that kind can be created in that Subscription.