What minimum role is required to see Azure Function in portal?

Question

I'm a dev. I have

WEBSITE CONTRIBUTOR

Role on my azure function that our infrastructure team created. I can't see any functions listed in my function app in the portal and this ajax request fails when I try to expand the functions list in the side nav in the azure portal:

Request URL: 
https://management.azure.com/subscriptions/{{my-enterprise-subscription-id-here}}/resourceGroups/mclintdevnc-ase-rg/providers/Microsoft.Web/hostingEnvironments/mclintdevnc-aseweb?api-version=2016-09-01
Request Method: 
GET
Status Code: 
403

The response body on this request contains this:

{"error":{"code":"AuthorizationFailed","message":"The client '{{my-organizational-username-here}}' with object id '{{my-organizationao-user-id-here}}' does not have authorization to perform action 'Microsoft.Web/hostingEnvironments/read' over scope '/subscriptions/{{my-enterprise-subscription-id-here}}/resourceGroups/mclintdevnc-ase-rg/providers/Microsoft.Web/hostingEnvironments/mclintdevnc-aseweb'."}}

So what privledges do i need on my function app to be able to do things like see the functions, enable disable individual functions, and generate api keys for a function?

Here is the screen show of what I'm getting:

When I deploy the same code to an azure function on my personal account (which I'm an administrator for) I see this:

I'm sure I wont get administrator role in my organizations subscription, so what is the minimal set of privileges I can have so i can see my functions and perform basic configuration on them?

Maybe the reader role is appropriate to you. – Charles Xu Apr 02 '19 at 13:39 — Charles Xu, Apr 02 '19 at 13:39

score 2 · Answer 1 · answered Apr 03 '19 at 06:17

As a reader level permission, you are restricted to check inside a related function implementation in function app. However, you can go to Platform Features tab and navigate to All Settings to check out all setting related to Function App (similar to web app), though as expected reader permission limits you to modify any setting.

For example, if a user is assigned the Reader role, they will not be able to view the functions within a function app. The portal will display (No access).

You can make a custom role for your use case.

https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles

score 0 · Answer 2 · answered Apr 02 '19 at 14:04

Website Contributor means you can "manage websites(not web plans), but not access them". Reader role gives you the right to read everything, but you cannot contribute.
These roles are Built-in roles for Azure resources. You can find all of the Azure built-in RBAC in Microsoft docs https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Your organization administrator can create a custom role for you if it's needed to be a Website Contributor and reader at the same time.

What minimum role is required to see Azure Function in portal?

2 Answers2