Offer granular RBAC for virtualMachine serial console access
As confirmed via Support Case 119052326000457 there is one, and only one method, to grant access to a VM's serial console, which is to obtain the Virtual Machine Contributor role which may be a lot more privileged than an individual may need to do their job.
Within our organization it is important to follow the principles of least privilege wherever feasible. As such we want to be able to grant a support team access to a VM's serial console without that same team being able to make IaaS config changes to the VM (shutdown, reconfigure, etc.). This would help prevent situations where a malicious actor can do more harm more quickly because of the wide-ranging permissions allotted to one particular role.
Unlike the Run Command feature the Serial Console is a lot more intuitive and faster to use in an interactive fashion for many emergency situations and while the Run Command has granular permissions associated with it (i.e. Microsoft.Compute/virtualMachines/runCommand/action), the Serial Console does not which is a disappointment and ought to be changed to offer access via a permission such as Microsoft.Compute/virtualMachines/serialConsole/run.
Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature
This should be expanded for more granular controls of other areas.
Example, creating/resetting a password or SSH key via "Reset Password" blade should be RBACable. If we want to enforce all our users use ssh certificates, this provides another way for them to try and get around it.