diff --git a/installing/installing_azure/installing-azure-account.adoc b/installing/installing_azure/installing-azure-account.adoc
index 81122d18072e..03046f9be46f 100644
--- a/installing/installing_azure/installing-azure-account.adoc
+++ b/installing/installing_azure/installing-azure-account.adoc
@@ -26,6 +26,8 @@ include::modules/installation-azure-increasing-limits.adoc[leveloffset=+1]
 
 include::modules/installation-azure-permissions.adoc[leveloffset=+1]
 
+include::modules/minimum-required-permissions-ipi-azure.adoc[leveloffset=+1]
+
 include::modules/installation-azure-service-principal.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
@@ -42,5 +44,4 @@ include::modules/installation-azure-regions.adoc[leveloffset=+1]
 * Install an {product-title} cluster on Azure. You can
 xref:../../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-customizations[install a customized cluster]
 or
-xref:../../installing/installing_azure/installing-azure-default.adoc#installing-azure-default[quickly install a cluster]
-with default options.
+xref:../../installing/installing_azure/installing-azure-default.adoc#installing-azure-default[quickly install a cluster] with default options.
\ No newline at end of file
diff --git a/installing/installing_azure/installing-azure-user-infra.adoc b/installing/installing_azure/installing-azure-user-infra.adoc
index 74daabed25b5..6a819f5a5b72 100644
--- a/installing/installing_azure/installing-azure-user-infra.adoc
+++ b/installing/installing_azure/installing-azure-user-infra.adoc
@@ -51,6 +51,7 @@ include::modules/installation-azure-increasing-limits.adoc[leveloffset=+2]
 include::modules/csr-management.adoc[leveloffset=+2]
 
 include::modules/installation-azure-permissions.adoc[leveloffset=+2]
+include::modules/minimum-required-permissions-upi-azure.adoc[leveloffset=+2]
 include::modules/installation-azure-service-principal.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
diff --git a/modules/installation-azure-create-resource-group-and-identity.adoc b/modules/installation-azure-create-resource-group-and-identity.adoc
index 3bb2db2fe247..00b7ce116ce1 100644
--- a/modules/installation-azure-create-resource-group-and-identity.adoc
+++ b/modules/installation-azure-create-resource-group-and-identity.adoc
@@ -73,6 +73,17 @@ $ export RESOURCE_GROUP_ID=`az group show -g ${RESOURCE_GROUP} --query id --out
 ----
 $ az role assignment create --assignee "${PRINCIPAL_ID}" --role 'Contributor' --scope "${RESOURCE_GROUP_ID}"
 ----
++
+[NOTE]
+====
+If you want to assign a custom role with all the required permissions to the identity, run the following command:
+[source,terminal]
+----
+$ az role assignment create --assignee "${PRINCIPAL_ID}" --role <custom_role> \ <1>
+--scope "${RESOURCE_GROUP_ID}"
+----
+<1> Specifies the custom role name.
+====
 endif::azure[]
 
 ifeval::["{context}" == "installing-azure-user-infra"]
diff --git a/modules/installation-azure-finalizing-encryption.adoc b/modules/installation-azure-finalizing-encryption.adoc
index 315eab9466f9..84bfe847e7eb 100644
--- a/modules/installation-azure-finalizing-encryption.adoc
+++ b/modules/installation-azure-finalizing-encryption.adoc
@@ -6,12 +6,30 @@
 // * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 
+
+ifeval::["{context}" == "installing-azure-customizations"]
+:azure-public:
+endif::[]
+ifeval::["{context}" == "installing-azure-government-region"]
+:azure-gov:
+endif::[]
+ifeval::["{context}" == "installing-azure-network-customizations"]
+:azure-public:
+endif::[]
+ifeval::["{context}" == "installing-azure-private"]
+:azure-public:
+endif::[]
+ifeval::["{context}" == "installing-azure-vnet"]
+:azure-public:
+endif::[]
+
 :_content-type: PROCEDURE
 [id="finalizing-encryption_{context}"]
 = Finalizing user-managed encryption after installation
 If you installed {product-title} using a user-managed encryption key, you can complete the installation by creating a new storage class and granting write permissions to the Azure cluster resource group.
 
 .Procedure
+
 . Obtain the identity of the cluster resource group used by the installer:
 .. If you specified an existing resource group in `install-config.yaml`, obtain its Azure identity by running the following command:
 +
@@ -63,6 +81,7 @@ $ az identity show -g <cluster_resource_group> \// <1>
 <1> Specifies the name of the cluster resource group created by the installation program.
 <2> Specifies the name of the cluster service principal created by the installation program.
 The identity is in the format of `12345678-1234-1234-1234-1234567890`.
+ifdef::azure-gov[]
 . Create a role assignment that grants the cluster service principal `Contributor` privileges to the disk encryption set by running the following command:
 +
 [source,terminal]
@@ -73,6 +92,20 @@ $ az role assignment create --assignee <cluster_service_principal_id> \// <1>
 ----
 <1> Specifies the ID of the cluster service principal obtained in the previous step.
 <2> Specifies the ID of the disk encryption set.
+endif::azure-gov[]
+ifdef::azure-public[]
+. Create a role assignment that grants the cluster service principal necessary privileges to the disk encryption set by running the following command:
++
+[source,terminal]
+----
+$ az role assignment create --assignee <cluster_service_principal_id> \// <1>
+     --role <privileged_role> \// <2>
+     --scope <disk_encryption_set_id> \// <3>
+----
+<1> Specifies the ID of the cluster service principal obtained in the previous step.
+<2> Specifies the Azure role name. You can use the `Contributor` role or a custom role with the necessary permissions.
+<3> Specifies the ID of the disk encryption set.
+endif::azure-public[]
 +
 . Create a storage class that uses the user-managed disk encryption set:
 .. Save the following storage class definition to a file, for example `storage-class-definition.yaml`:
@@ -102,3 +135,21 @@ volumeBindingMode: WaitForFirstConsumer
 $ oc create -f storage-class-definition.yaml
 ----
 . Select the `managed-premium` storage class when you create persistent volumes to use encrypted storage.
+
+
+
+ifeval::["{context}" == "installing-azure-customizations"]
+:!azure-public:
+endif::[]
+ifeval::["{context}" == "installing-azure-government-region"]
+:!azure-gov:
+endif::[]
+ifeval::["{context}" == "installing-azure-network-customizations"]
+:!azure-public:
+endif::[]
+ifeval::["{context}" == "installing-azure-private"]
+:!azure-public:
+endif::[]
+ifeval::["{context}" == "installing-azure-vnet"]
+:!azure-public:
+endif::[]
\ No newline at end of file
diff --git a/modules/installation-azure-permissions.adoc b/modules/installation-azure-permissions.adoc
index ebc15ade2836..8fbca39ce62f 100644
--- a/modules/installation-azure-permissions.adoc
+++ b/modules/installation-azure-permissions.adoc
@@ -11,6 +11,4 @@
 * `User Access Administrator`
 * `Owner`
 
-To set roles on the Azure portal, see the
-link:https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal[Manage access to Azure resources using RBAC and the Azure portal]
-in the Azure documentation.
+To set roles on the Azure portal, see the link:https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal[Manage access to Azure resources using RBAC and the Azure portal] in the Azure documentation.
\ No newline at end of file
diff --git a/modules/installation-azure-service-principal.adoc b/modules/installation-azure-service-principal.adoc
index 49abcfe1690b..22a19537e354 100644
--- a/modules/installation-azure-service-principal.adoc
+++ b/modules/installation-azure-service-principal.adoc
@@ -11,6 +11,12 @@ endif::[]
 ifeval::["{context}" == "installing-azure-stack-hub-account"]
 :ash:
 endif::[]
+ifeval::["{context}" == "installing-azure-account"]
+:ipi:
+endif::[]
+ifeval::["{context}" == "installing-azure-user-infra"]
+:upi:
+endif::[]
 
 :_content-type: PROCEDURE
 [id="installation-azure-service-principal_{context}"]
@@ -22,6 +28,12 @@ Because {product-title} and its installation program create Microsoft Azure reso
 
 * Install or update the link:https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-yum?view=azure-cli-latest[Azure CLI].
 * Your Azure account has the required roles for the subscription that you use.
+ifdef::ipi[]
+* If you want to use a custom role, you have created a link:https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles[custom role] with the required permissions listed in the _Required Azure permissions for installer-provisioned infrastructure_ section.
+endif::ipi[]
+ifdef::upi[]
+* If you want to use a custom role, you have created a link:https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles[custom role] with the required permissions listed in the _Required Azure permissions for user-provisioned infrastructure_ section.
+endif::upi[]
 
 .Procedure
 
@@ -167,6 +179,7 @@ endif::[]
 
 . Record the `tenantId` and `id` parameter values from the output. You need these values during the {product-title} installation.
 
+ifdef::ash[]
 . Create the service principal for your account:
 +
 [source,terminal]
@@ -181,6 +194,35 @@ $ az ad sp create-for-rbac --role Contributor --name <service_principal> \ <1>
 [source,terminal]
 ----
 Creating 'Contributor' role assignment under scope '/subscriptions/<subscription_id>'
+The output includes credentials that you must protect. Be sure that you do not
+include these credentials in your code or check the credentials into your source
+control. For more information, see https://aka.ms/azadsp-cli
+{
+  "appId": "ac461d78-bf4b-4387-ad16-7e32e328aec6",
+  "displayName": <service_principal>",
+  "password": "00000000-0000-0000-0000-000000000000",
+  "tenantId": "8049c7e9-c3de-762d-a54e-dc3f6be6a7ee"
+}
+----
+endif::ash[]
+
+ifndef::ash[]
+. Create the service principal for your account:
++
+[source,terminal]
+----
+$ az ad sp create-for-rbac --role <role_name> \// <1>
+     --name <service_principal> \// <2>
+     --scopes /subscriptions/<subscription_id> <3>
+----
+<1> Defines the role name. You can use the `Contributor` role, or you can specify a custom role which contains the necessary permissions.
+<2> Defines the service principal name.
+<3> Specifies the subscription ID.
++
+.Example output
+[source,terminal]
+----
+Creating 'Contributor' role assignment under scope '/subscriptions/<subscription_id>'
 The output includes credentials that you must protect. Be sure that you do not 
 include these credentials in your code or check the credentials into your source 
 control. For more information, see https://aka.ms/azadsp-cli
@@ -191,12 +233,13 @@ control. For more information, see https://aka.ms/azadsp-cli
   "tenantId": "8049c7e9-c3de-762d-a54e-dc3f6be6a7ee"
 }
 ----
+endif::ash[]
 
 . Record the values of the `appId` and `password` parameters from the previous
 output. You need these values during {product-title} installation.
 
 ifndef::ash[]
-. Assign the `User Access Administrator` role by running the following command:
+. If you applied the `Contributor` role to your service principal, assign the `User Administrator Access` role by running the following command:
 +
 [source,terminal]
 ----
@@ -212,3 +255,9 @@ endif::[]
 ifeval::["{context}" == "installing-azure-stack-hub-account"]
 :!ash:
 endif::[]
+ifeval::["{context}" == "installing-azure-account"]
+:!ipi:
+endif::[]
+ifeval::["{context}" == "installing-azure-user-infra"]
+:!upi:
+endif::[]
\ No newline at end of file
diff --git a/modules/minimum-required-permissions-ipi-azure.adoc b/modules/minimum-required-permissions-ipi-azure.adoc
new file mode 100644
index 000000000000..bc7f7bb8eed1
--- /dev/null
+++ b/modules/minimum-required-permissions-ipi-azure.adoc
@@ -0,0 +1,280 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_azure/installing-azure-account.adoc
+
+[id="minimum-required-permissions-ipi-azure_{context}"]
+= Required Azure permissions for installer-provisioned infrastructure
+
+When you assign `Contributor` and `User Access Administrator` roles to the service principal, you automatically grant all the required permissions.
+
+If your organization's security policies require a more restrictive set of permissions, you can create a link:https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles[custom role] with the necessary permissions. The following permissions are required for creating an {product-title} cluster on Microsoft Azure.
+
+.Required permissions for creating authorization resources
+[%collapsible]
+====
+* `Microsoft.Authorization/policies/audit/action`
+* `Microsoft.Authorization/policies/auditIfNotExists/action`
+* `Microsoft.Authorization/roleAssignments/read`
+* `Microsoft.Authorization/roleAssignments/write`
+====
+
+.Required permissions for creating compute resources
+[%collapsible]
+====
+* `Microsoft.Compute/availabilitySets/read`
+* `Microsoft.Compute/disks/beginGetAccess/action`
+* `Microsoft.Compute/disks/delete`
+* `Microsoft.Compute/disks/read`
+* `Microsoft.Compute/disks/write`
+* `Microsoft.Compute/galleries/images/read`
+* `Microsoft.Compute/galleries/images/versions/read`
+* `Microsoft.Compute/galleries/images/versions/write`
+* `Microsoft.Compute/galleries/images/write`
+* `Microsoft.Compute/galleries/read`
+* `Microsoft.Compute/galleries/write`
+* `Microsoft.Compute/snapshots/read`
+* `Microsoft.Compute/snapshots/write`
+* `Microsoft.Compute/snapshots/delete`
+* `Microsoft.Compute/virtualMachines/delete`
+* `Microsoft.Compute/virtualMachines/powerOff/action`
+* `Microsoft.Compute/virtualMachines/read`
+* `Microsoft.Compute/virtualMachines/write`
+====
+
+.Required permissions for creating identity management resources
+[%collapsible]
+====
+* `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
+* `Microsoft.ManagedIdentity/userAssignedIdentities/read`
+* `Microsoft.ManagedIdentity/userAssignedIdentities/write`
+====
+
+.Required permissions for creating network resources
+[%collapsible]
+====
+* `Microsoft.Network/dnsZones/A/write`
+* `Microsoft.Network/dnsZones/CNAME/write`
+* `Microsoft.Network/dnszones/CNAME/read`
+* `Microsoft.Network/dnszones/read`
+* `Microsoft.Network/loadBalancers/backendAddressPools/join/action`
+* `Microsoft.Network/loadBalancers/backendAddressPools/read`
+* `Microsoft.Network/loadBalancers/backendAddressPools/write`
+* `Microsoft.Network/loadBalancers/read`
+* `Microsoft.Network/loadBalancers/write`
+* `Microsoft.Network/networkInterfaces/delete`
+* `Microsoft.Network/networkInterfaces/join/action`
+* `Microsoft.Network/networkInterfaces/read`
+* `Microsoft.Network/networkInterfaces/write`
+* `Microsoft.Network/networkSecurityGroups/join/action`
+* `Microsoft.Network/networkSecurityGroups/read`
+* `Microsoft.Network/networkSecurityGroups/securityRules/delete`
+* `Microsoft.Network/networkSecurityGroups/securityRules/read`
+* `Microsoft.Network/networkSecurityGroups/securityRules/write`
+* `Microsoft.Network/networkSecurityGroups/write`
+* `Microsoft.Network/privateDnsZones/A/read`
+* `Microsoft.Network/privateDnsZones/A/write`
+* `Microsoft.Network/privateDnsZones/A/delete`
+* `Microsoft.Network/privateDnsZones/SOA/read`
+* `Microsoft.Network/privateDnsZones/read`
+* `Microsoft.Network/privateDnsZones/virtualNetworkLinks/read`
+* `Microsoft.Network/privateDnsZones/virtualNetworkLinks/write`
+* `Microsoft.Network/privateDnsZones/write`
+* `Microsoft.Network/publicIPAddresses/delete`
+* `Microsoft.Network/publicIPAddresses/join/action`
+* `Microsoft.Network/publicIPAddresses/read`
+* `Microsoft.Network/publicIPAddresses/write`
+* `Microsoft.Network/virtualNetworks/join/action`
+* `Microsoft.Network/virtualNetworks/read`
+* `Microsoft.Network/virtualNetworks/subnets/join/action`
+* `Microsoft.Network/virtualNetworks/subnets/read`
+* `Microsoft.Network/virtualNetworks/subnets/write`
+* `Microsoft.Network/virtualNetworks/write`
+====
+[NOTE]
+====
+The following permissions are not required to create the private {product-title} cluster on Azure.
+
+* `Microsoft.Network/dnsZones/A/write`
+* `Microsoft.Network/dnsZones/CNAME/write`
+* `Microsoft.Network/dnszones/CNAME/read`
+* `Microsoft.Network/dnszones/read`
+====
+
+.Required permissions for checking the health of resources
+[%collapsible]
+====
+* `Microsoft.Resourcehealth/healthevent/Activated/action`
+* `Microsoft.Resourcehealth/healthevent/InProgress/action`
+* `Microsoft.Resourcehealth/healthevent/Pending/action`
+* `Microsoft.Resourcehealth/healthevent/Resolved/action`
+* `Microsoft.Resourcehealth/healthevent/Updated/action`
+====
+
+.Required permissions for creating a resource group
+[%collapsible]
+====
+* `Microsoft.Resources/subscriptions/resourceGroups/read`
+* `Microsoft.Resources/subscriptions/resourcegroups/write`
+====
+
+.Required permissions for creating resource tags
+[%collapsible]
+====
+* `Microsoft.Resources/tags/write`
+====
+
+.Required permissions for creating storage resources
+[%collapsible]
+====
+* `Microsoft.Storage/storageAccounts/blobServices/read`
+* `Microsoft.Storage/storageAccounts/blobServices/containers/write`
+* `Microsoft.Storage/storageAccounts/fileServices/read`
+* `Microsoft.Storage/storageAccounts/fileServices/shares/read`
+* `Microsoft.Storage/storageAccounts/fileServices/shares/write`
+* `Microsoft.Storage/storageAccounts/fileServices/shares/delete`
+* `Microsoft.Storage/storageAccounts/listKeys/action`
+* `Microsoft.Storage/storageAccounts/read`
+* `Microsoft.Storage/storageAccounts/write`
+====
+
+.Optional permissions for creating marketplace virtual machine resources
+[%collapsible]
+====
+* `Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read`
+* `Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write`
+====
+
+.Optional permissions for creating compute resources
+[%collapsible]
+====
+* `Microsoft.Compute/availabilitySets/write`
+* `Microsoft.Compute/images/read`
+* `Microsoft.Compute/images/write`
+* `Microsoft.Compute/images/delete`
+====
+
+.Optional permissions for enabling user-managed encryption
+[%collapsible]
+====
+* `Microsoft.Compute/diskEncryptionSets/read`
+* `Microsoft.Compute/diskEncryptionSets/write`
+* `Microsoft.Compute/diskEncryptionSets/delete`
+* `Microsoft.KeyVault/vaults/read`
+* `Microsoft.KeyVault/vaults/write`
+* `Microsoft.KeyVault/vaults/delete`
+* `Microsoft.KeyVault/vaults/deploy/action`
+* `Microsoft.KeyVault/vaults/keys/read`
+* `Microsoft.KeyVault/vaults/keys/write`
+* `Microsoft.Features/providers/features/register/action`
+====
+
+.Optional permissions for installing a private cluster with Azure Network Address Translation (NAT)
+[%collapsible]
+====
+* `Microsoft.Network/natGateways/join/action`
+* `Microsoft.Network/natGateways/read`
+* `Microsoft.Network/natGateways/write`
+====
+
+.Optional permissions for installing a private cluster with Azure firewall
+[%collapsible]
+====
+* `Microsoft.Network/azureFirewalls/applicationRuleCollections/write`
+* `Microsoft.Network/azureFirewalls/read`
+* `Microsoft.Network/azureFirewalls/write`
+* `Microsoft.Network/routeTables/join/action`
+* `Microsoft.Network/routeTables/read`
+* `Microsoft.Network/routeTables/routes/read`
+* `Microsoft.Network/routeTables/routes/write`
+* `Microsoft.Network/routeTables/write`
+* `Microsoft.Network/virtualNetworks/peer/action`
+* `Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read`
+* `Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write`
+====
+
+.Optional permission for running gather bootstrap
+[%collapsible]
+====
+* `Microsoft.Compute/virtualMachines/instanceView/read`
+====
+
+The following permissions are required for deleting an {product-title} cluster on Microsoft Azure. You can use the same permissions to delete a private {product-title} cluster on Azure.
+
+.Required permissions for deleting authorization resources
+[%collapsible]
+====
+* `Microsoft.Authorization/roleAssignments/delete`
+====
+
+.Required permissions for deleting compute resources
+[%collapsible]
+====
+* `Microsoft.Compute/disks/delete`
+* `Microsoft.Compute/galleries/delete`
+* `Microsoft.Compute/galleries/images/delete`
+* `Microsoft.Compute/galleries/images/versions/delete`
+* `Microsoft.Compute/virtualMachines/delete`
+====
+
+.Required permissions for deleting identity management resources
+[%collapsible]
+====
+* `Microsoft.ManagedIdentity/userAssignedIdentities/delete`
+====
+
+.Required permissions for deleting network resources
+[%collapsible]
+====
+* `Microsoft.Network/dnszones/read`
+* `Microsoft.Network/dnsZones/A/read`
+* `Microsoft.Network/dnsZones/A/delete`
+* `Microsoft.Network/dnsZones/CNAME/read`
+* `Microsoft.Network/dnsZones/CNAME/delete`
+* `Microsoft.Network/loadBalancers/delete`
+* `Microsoft.Network/networkInterfaces/delete`
+* `Microsoft.Network/networkSecurityGroups/delete`
+* `Microsoft.Network/privateDnsZones/read`
+* `Microsoft.Network/privateDnsZones/A/read`
+* `Microsoft.Network/privateDnsZones/delete`
+* `Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete`
+* `Microsoft.Network/publicIPAddresses/delete`
+* `Microsoft.Network/virtualNetworks/delete`
+====
+[NOTE]
+====
+The following permissions are not required to delete a private {product-title} cluster on Azure.
+
+* `Microsoft.Network/dnszones/read`
+* `Microsoft.Network/dnsZones/A/read`
+* `Microsoft.Network/dnsZones/A/delete`
+* `Microsoft.Network/dnsZones/CNAME/read`
+* `Microsoft.Network/dnsZones/CNAME/delete`
+====
+
+.Required permissions for checking the health of resources
+[%collapsible]
+====
+* `Microsoft.Resourcehealth/healthevent/Activated/action`
+* `Microsoft.Resourcehealth/healthevent/Resolved/action`
+* `Microsoft.Resourcehealth/healthevent/Updated/action`
+====
+
+.Required permissions for deleting a resource group
+[%collapsible]
+====
+* `Microsoft.Resources/subscriptions/resourcegroups/delete`
+====
+
+.Required permissions for deleting storage resources
+[%collapsible]
+====
+* `Microsoft.Storage/storageAccounts/delete`
+* `Microsoft.Storage/storageAccounts/listKeys/action`
+====
+
+[NOTE]
+====
+To install {product-title} on Azure, you must scope the permissions to your subscription. Later, you can re-scope these permissions to the installer created resource group. If the public DNS zone is present in a different resource group, then the network DNS zone related permissions must always be applied to your subscription. By default, the {product-title} installation program assigns the Azure identity the `Contributor` role.
+
+You can scope all the permissions to your subscription when deleting an {product-title} cluster.
+====
\ No newline at end of file
diff --git a/modules/minimum-required-permissions-upi-azure.adoc b/modules/minimum-required-permissions-upi-azure.adoc
new file mode 100644
index 000000000000..89a53f5d1d64
--- /dev/null
+++ b/modules/minimum-required-permissions-upi-azure.adoc
@@ -0,0 +1,236 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_azure/installing-azure-user-infra.adoc
+
+[id="minimum-required-permissions-upi-azure_{context}"]
+= Required Azure permissions for user-provisioned infrastructure
+
+When you assign `Contributor` and `User Access Administrator` roles to the service principal, you automatically grant all the required permissions.
+
+If your organization's security policies require a more restrictive set of permissions, you can create a link:https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles[custom role] with the necessary permissions. The following permissions are required for creating an {product-title} cluster on Microsoft Azure.
+
+.Required permissions for creating authorization resources
+[%collapsible]
+====
+* `Microsoft.Authorization/policies/audit/action`
+* `Microsoft.Authorization/policies/auditIfNotExists/action`
+* `Microsoft.Authorization/roleAssignments/read`
+* `Microsoft.Authorization/roleAssignments/write`
+====
+
+.Required permissions for creating compute resources
+[%collapsible]
+====
+* `Microsoft.Compute/images/read`
+* `Microsoft.Compute/images/write`
+* `Microsoft.Compute/images/delete`
+* `Microsoft.Compute/availabilitySets/read`
+* `Microsoft.Compute/disks/beginGetAccess/action`
+* `Microsoft.Compute/disks/delete`
+* `Microsoft.Compute/disks/read`
+* `Microsoft.Compute/disks/write`
+* `Microsoft.Compute/galleries/images/read`
+* `Microsoft.Compute/galleries/images/versions/read`
+* `Microsoft.Compute/galleries/images/versions/write`
+* `Microsoft.Compute/galleries/images/write`
+* `Microsoft.Compute/galleries/read`
+* `Microsoft.Compute/galleries/write`
+* `Microsoft.Compute/snapshots/read`
+* `Microsoft.Compute/snapshots/write`
+* `Microsoft.Compute/snapshots/delete`
+* `Microsoft.Compute/virtualMachines/delete`
+* `Microsoft.Compute/virtualMachines/powerOff/action`
+* `Microsoft.Compute/virtualMachines/read`
+* `Microsoft.Compute/virtualMachines/write`
+* `Microsoft.Compute/virtualMachines/deallocate/action`
+====
+
+.Required permissions for creating identity management resources
+[%collapsible]
+====
+* `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
+* `Microsoft.ManagedIdentity/userAssignedIdentities/read`
+* `Microsoft.ManagedIdentity/userAssignedIdentities/write`
+====
+
+.Required permissions for creating network resources
+[%collapsible]
+====
+* `Microsoft.Network/dnsZones/A/write`
+* `Microsoft.Network/dnsZones/CNAME/write`
+* `Microsoft.Network/dnszones/CNAME/read`
+* `Microsoft.Network/dnszones/read`
+* `Microsoft.Network/loadBalancers/backendAddressPools/join/action`
+* `Microsoft.Network/loadBalancers/backendAddressPools/read`
+* `Microsoft.Network/loadBalancers/backendAddressPools/write`
+* `Microsoft.Network/loadBalancers/read`
+* `Microsoft.Network/loadBalancers/write`
+* `Microsoft.Network/networkInterfaces/delete`
+* `Microsoft.Network/networkInterfaces/join/action`
+* `Microsoft.Network/networkInterfaces/read`
+* `Microsoft.Network/networkInterfaces/write`
+* `Microsoft.Network/networkSecurityGroups/join/action`
+* `Microsoft.Network/networkSecurityGroups/read`
+* `Microsoft.Network/networkSecurityGroups/securityRules/delete`
+* `Microsoft.Network/networkSecurityGroups/securityRules/read`
+* `Microsoft.Network/networkSecurityGroups/securityRules/write`
+* `Microsoft.Network/networkSecurityGroups/write`
+* `Microsoft.Network/privateDnsZones/A/read`
+* `Microsoft.Network/privateDnsZones/A/write`
+* `Microsoft.Network/privateDnsZones/A/delete`
+* `Microsoft.Network/privateDnsZones/SOA/read`
+* `Microsoft.Network/privateDnsZones/read`
+* `Microsoft.Network/privateDnsZones/virtualNetworkLinks/read`
+* `Microsoft.Network/privateDnsZones/virtualNetworkLinks/write`
+* `Microsoft.Network/privateDnsZones/write`
+* `Microsoft.Network/publicIPAddresses/delete`
+* `Microsoft.Network/publicIPAddresses/join/action`
+* `Microsoft.Network/publicIPAddresses/read`
+* `Microsoft.Network/publicIPAddresses/write`
+* `Microsoft.Network/virtualNetworks/join/action`
+* `Microsoft.Network/virtualNetworks/read`
+* `Microsoft.Network/virtualNetworks/subnets/join/action`
+* `Microsoft.Network/virtualNetworks/subnets/read`
+* `Microsoft.Network/virtualNetworks/subnets/write`
+* `Microsoft.Network/virtualNetworks/write`
+====
+
+.Required permissions for checking the health of resources
+[%collapsible]
+====
+* `Microsoft.Resourcehealth/healthevent/Activated/action`
+* `Microsoft.Resourcehealth/healthevent/InProgress/action`
+* `Microsoft.Resourcehealth/healthevent/Pending/action`
+* `Microsoft.Resourcehealth/healthevent/Resolved/action`
+* `Microsoft.Resourcehealth/healthevent/Updated/action`
+====
+
+.Required permissions for creating a resource group
+[%collapsible]
+====
+* `Microsoft.Resources/subscriptions/resourceGroups/read`
+* `Microsoft.Resources/subscriptions/resourcegroups/write`
+====
+
+.Required permissions for creating resource tags
+[%collapsible]
+====
+* `Microsoft.Resources/tags/write`
+====
+
+.Required permissions for creating storage resources
+[%collapsible]
+====
+* `Microsoft.Storage/storageAccounts/blobServices/read`
+* `Microsoft.Storage/storageAccounts/blobServices/containers/write`
+* `Microsoft.Storage/storageAccounts/fileServices/read`
+* `Microsoft.Storage/storageAccounts/fileServices/shares/read`
+* `Microsoft.Storage/storageAccounts/fileServices/shares/write`
+* `Microsoft.Storage/storageAccounts/fileServices/shares/delete`
+* `Microsoft.Storage/storageAccounts/listKeys/action`
+* `Microsoft.Storage/storageAccounts/read`
+* `Microsoft.Storage/storageAccounts/write`
+====
+
+.Required permissions for creating deployments
+[%collapsible]
+====
+* `Microsoft.Resources/deployments/read`
+* `Microsoft.Resources/deployments/write`
+* `Microsoft.Resources/deployments/validate/action`
+* `Microsoft.Resources/deployments/operationstatuses/read`
+====
+
+.Optional permissions for creating marketplace virtual machine resources
+[%collapsible]
+====
+* `Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read`
+* `Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write`
+====
+
+.Optional permissions for enabling user-managed encryption
+[%collapsible]
+====
+* `Microsoft.Compute/diskEncryptionSets/read`
+* `Microsoft.Compute/diskEncryptionSets/write`
+* `Microsoft.Compute/diskEncryptionSets/delete`
+* `Microsoft.KeyVault/vaults/read`
+* `Microsoft.KeyVault/vaults/write`
+* `Microsoft.KeyVault/vaults/delete`
+* `Microsoft.KeyVault/vaults/deploy/action`
+* `Microsoft.KeyVault/vaults/keys/read`
+* `Microsoft.KeyVault/vaults/keys/write`
+* `Microsoft.Features/providers/features/register/action`
+====
+
+The following permissions are required for deleting an {product-title} cluster on Microsoft Azure.
+
+.Required permissions for deleting authorization resources
+[%collapsible]
+====
+* `Microsoft.Authorization/roleAssignments/delete`
+====
+
+.Required permissions for deleting compute resources
+[%collapsible]
+====
+* `Microsoft.Compute/disks/delete`
+* `Microsoft.Compute/galleries/delete`
+* `Microsoft.Compute/galleries/images/delete`
+* `Microsoft.Compute/galleries/images/versions/delete`
+* `Microsoft.Compute/virtualMachines/delete`
+* `Microsoft.Compute/images/delete`
+====
+
+.Required permissions for deleting identity management resources
+[%collapsible]
+====
+* `Microsoft.ManagedIdentity/userAssignedIdentities/delete`
+====
+
+.Required permissions for deleting network resources
+[%collapsible]
+====
+* `Microsoft.Network/dnszones/read`
+* `Microsoft.Network/dnsZones/A/read`
+* `Microsoft.Network/dnsZones/A/delete`
+* `Microsoft.Network/dnsZones/CNAME/read`
+* `Microsoft.Network/dnsZones/CNAME/delete`
+* `Microsoft.Network/loadBalancers/delete`
+* `Microsoft.Network/networkInterfaces/delete`
+* `Microsoft.Network/networkSecurityGroups/delete`
+* `Microsoft.Network/privateDnsZones/read`
+* `Microsoft.Network/privateDnsZones/A/read`
+* `Microsoft.Network/privateDnsZones/delete`
+* `Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete`
+* `Microsoft.Network/publicIPAddresses/delete`
+* `Microsoft.Network/virtualNetworks/delete`
+====
+
+.Required permissions for checking the health of resources
+[%collapsible]
+====
+* `Microsoft.Resourcehealth/healthevent/Activated/action`
+* `Microsoft.Resourcehealth/healthevent/Resolved/action`
+* `Microsoft.Resourcehealth/healthevent/Updated/action`
+====
+
+.Required permissions for deleting a resource group
+[%collapsible]
+====
+* `Microsoft.Resources/subscriptions/resourcegroups/delete`
+====
+
+.Required permissions for deleting storage resources
+[%collapsible]
+====
+* `Microsoft.Storage/storageAccounts/delete`
+* `Microsoft.Storage/storageAccounts/listKeys/action`
+====
+
+[NOTE]
+====
+To install {product-title} on Azure, you must scope the permissions related to resource group creation to your subscription. After the resource group is created, you can scope the rest of the permissions to the created resource group. If the public DNS zone is present in a different resource group, then the network DNS zone related permissions must always be applied to your subscription.
+
+You can scope all the permissions to your subscription when deleting an {product-title} cluster.
+====
\ No newline at end of file