Azure has defined three RBAC roles regarding virtual machines: Virtual Machine Administrator Login, Virtual Machine Contributor, and Virtual Machine User login. For the moment, it seems that the two ‘Login’ roles are only applicable to Linux virtual machines (Preview: Log in to a Linux virtual machine in Azure using Azure Active Directory authentication http://docs.microsoft.com/en-us/azure/virtual-machines/linux/login-using-aad).
By the definition, the “Virtual Machine Contributor” role is used to manage a virtual machine, but without access to the VM. The access to a Windows VM requires the use of local accounts defined on the VM through RDP sessions. However, Azure provides a few of remote access abilities to a Windows VM directly from Azure side, for example running any Powershell script through Custom Script Extension. As long as an AAD user has been assigned the Virtual Machine Contributor role, he/she can run Powershell scripts on a Windows VM with ‘NT AUTHORITY\SYSTEM’ privilege. Is this not full access to the VM?
An AAD user with the Virtual Machine Contributor role can also reset the local administrator through VMAccess extension. With the local admin password, he/she can also access the VM through RDP.
Why is the “Virtual Machine Contributor” defined/claimed for manage purpose only without access?
