How To: Get Started With Hyper-V Permissions

Defining the security model for your first foray with Hyper-V.

For administrators wanting to use Hyper-V in any capacity, a security model needs to be defined for your requirements. The base functionality with the Hyper-V role to manage permissions is done via the Authorization Manager Framework for Hyper-V. This can be used in conjunction with System Center Virtual Machine Manager (SCVMM) or independently for smaller implementations using the Hyper-V Manager with the Hyper-V role for servers.

Authorization Manger, or Azman, allows administrators to build permissions around roles. Azman includes 32 configurable operations for Hyper-V Manager. There are Administrator and User built-in roles, and custom roles can be added and assigned to various Windows groups or users.

  1. Run "azman.msc" to open up the base console.
  2. Open the Authorization Store .XML file for Hyper-V. The location for default installations is C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml.

Within the Hyper-V Authorization Store, roles can be created for specific virtual machine (VM)-related tasks. Administrators can create roles from 32 operations available for permission assignment. These include VM console access, start and stop functions, networking configuration and more. Fig. 1 shows a role being created and the list of configurable operations being selected.

Role definitions
Figure 1. Role definitions are created in the Hyper-V authorization store. (Click image to view larger version.)

Once a role definition is created, permissions are assigned to that role. Again in the Hyper-V Authorization Store, we can now assign a user or group to the newly created role (see Fig. 2).

Associating role definitions
Figure 2. After role definitions are created, users or groups are associated with that role. (Click image to view larger version.)

At that point, the configured actions are assigned to the users as configured in the Hyper-V Authorization store. Be sure to give some planning to how this is configured; basic guidelines include making sure everything is applied through group permissions, and never over-granting privileges.

This is straightforward stuff for Microsoft folks, but it may not be as intuitive for administrators familiar with assigning roles in VMware.

Send me an e-mail, or post any tricks you’ve done with permissions for Hyper-V below, including some crafty Group Policy Objects.

About the Author

Rick Vanover (Cisco Champion, Microsoft MVP, VMware vExpert) is based in Columbus, Ohio. Vanover's experience includes systems administration and IT management, with virtualization, cloud and storage technologies being the central theme of his career recently. Follow him on Twitter @RickVanover.


  • Microsoft 365 Business To Get Azure Active Directory Premium P1 Perks

    Subscribers to Microsoft 365 Business (which is being renamed this month to "Microsoft 365 Business Premium") will be getting Azure Active Directory Premium P1 licensing at no additional cost.

  • How To Use .CSV Files with PowerShell, Part 1

    When it comes to bulk administration, few things are handier than .CSV files. In this two-part series, Brien demos his top techniques for working with .CSV files in PowerShell. First up: How to create a .CSV file.

  • SameSite Cookie Changes Rolled Back Until Summer

    The Chromium Project announced on Friday that it's delaying enforcement of SameSite cookie changes, and is temporarily rolling back those changes, because of the COVID-19 turmoil.

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.