I want to deny creation of VM but allow everything else on that including updating it.
I created a custom RBAC role to deny create and allow other stuff, but as I attached a Disk to that VM I was denied because I didn't have permission to Update the VM. In RBAC of azure the "Create" has both create and update.
So, I wanna allow update and deny create. is there any other way like with policies or something?
Now that the "Create" in RBAC (
Microsoft.Compute/virtualMachines/write) is for creating a new virtual machine or updates an existing virtual machine, if you deny this permission, the user is not allowed updating the VM neither.The creating and updating operations are in the same permission. I don't think we can split it. Policies cannot do this thing for you as well.
You should consider assigning this permission to as few users as possible to ensure that VMs are not created easily.