After successfully planning and deploying Azure VMWare Solution, the new private cloud’s vCenter Server contains a built-in local user called cloudadmin, assigned to the CloudAdmin role with several permissions in the vCenter Server.
Alternatively, create custom roles in an Azure VMWare Solution environment using the principle of least privilege.
Additional Recommendations
As part of the Identity and Access Management Enterprise Scale Landing Zone (ESLZ), an Active Directory Domain Services Domain Controller is deployed in the Identity Subscription
Limit the number of users assigned to the CloudAdmin role. Use custom roles and least privilege to assign users to Azure VMware Solution.
Use caution when rotating cloudadmin/NSX admin passwords. Ensure HCX Connector passwords are updated with password changes to avoid lockouts. Rotate the cloudadmin credentials for Azure VMware Solution - Azure VMware Solution | Microsoft Docs
Limit Azure VMware Solution RBAC permissions in Azure to the Resource Group where it is deployed and the users who need to manage Azure VMware Solution.
vSphere Permissions with Custom Roles should only be configured at the hierarchy level if needed. It is better to apply permissions at the appropriate VM Folder or Resource Pool. Application of vSphere Permissions at or above the Datacenter level should be avoided.
Active Directory Sites and Services should be updated to direct Azure and Azure VMware Solution AD DS traffic to the appropriate Domain Controllers.
Use Run Command to:
Add Active Directory Domain Services (Domain Controller) as an identity source for vCenter and NSX-T.
To provide lifecycle operations on the vsphere.local\CloudAdmins group.
Create groups in Active Directory and use RBAC to manage vCenter and NSX-T. You can create custom roles and assign Active Directory groups to the custom roles.