I am attempting to provide access to someone on my account using least-required access by creating an RBAC rule in Azure that gives the person the ability to manage, create, and delete networking resources.

However, when they attempt to delete the VNet integration of an existing function app, the option to disconnect the VNet integration is greyed out. They have the option to remove it when they have contributor access, but not with my custom role. I cannot find what permission they are missing. I could delete it myself, or give them contributor. But I do not want to do either of these, in order to get the correct RBAC policies working.

My custom role has many permissions including:

Microsoft.Network/*
Microsoft.ClassicNetwork/*
Microsoft.Network/virtualNetworks/*
Microsoft.Web/sites/networkConfig/read, write, delete
etc.

I’m clearly missing something but I don’t know what permission is lacking to cause this.

VNet integration disconnect missing.

I have been adding more and more permissions to the role. Anything with a description that even mentions a private endpoint or virtual network. None have worked.