Backfitting permissions from New-AzRoleAssignment (Failed) #125
-
|
Hi there. I have the exact problem described in the troubleshooting guide for New-AzRoleAssignment (Failed). It's not feasible for me to be able to deploy IPAM as an AAD Global Admin or with role assignments write on the tenant root. What action can I take post deployment to backfit this permission to the IPAM solution? The part that errors in the deploy script is a role assignment for the engine application. Can that be given the role assignment post deployment over the tenant root group to resolve the permissions problem? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Hi @GeordieGuy, thanks for reaching out on the discussions! The "Global Admin" component only really comes into play when the script attempts to grant Admin Consent to the App Registrations. The issue you're running into appears to be that you don't have the appropriate permissions at the Tenant Root Group to assign "Reader" to the IPAM Engine App Registration (if I'm understanding your problem correctly). We have a 2-part deployment option, where in the first part, a team within your organization can deploy the App Registrations on your behalf, and that will output a Parameters file you can feed into the second step where the Azure infrastructure is deployed. Two Part Deployment: In your case, I'm hypothesizing that the correct API Permissions were assigned to the App Registrations, but the Engine App Registration couldn't be assigned "Reader" at the Tenant Root Group, and most likely the Admin Consent wasn't granted for the API Permissions on the App Registrations. I hope that helps (at least a little). If not I'm more than happy to elaborate a bit more, or help you personally in a 1:1 session. Just let me know how else we can be of assistance to you! |
Beta Was this translation helpful? Give feedback.
-
|
Hey @DCMattyG I have access to assign permissions to my intermediate root group, but not the root itself? We have a root, and intermediate (new) and a legacy intermediate we are migrating out from. Would it be possible that the engine app can be granted permission to the (new) intermediate root only? I do not want to manage any VNet's in the legacy group, so I have no problem not being able to see any of those. Many Thanks |
Beta Was this translation helpful? Give feedback.
-
|
Good morning @Jtayta, this should be easily do-able. The Engine Service Principal has Reader permission to the Root Management Group. You should be able to remove that and add the SPN as a Reader on the target Management Group. Note: Sometimes permissions in Azure take a little bit to propagate (as I'm sure you know), so once you make the changes please allow a few minutes for replication and then give it a try. If you like some 1:1 assistance with making this change, also happy to schedule some time with you for a Teams meeting. Just let me know! |
Beta Was this translation helpful? Give feedback.
Hi @GeordieGuy, thanks for reaching out on the discussions!
The "Global Admin" component only really comes into play when the script attempts to grant Admin Consent to the App Registrations. The issue you're running into appears to be that you don't have the appropriate permissions at the Tenant Root Group to assign "Reader" to the IPAM Engine App Registration (if I'm understanding your problem correctly).
We have a 2-part deployment option, where in the first part, a team within your organization can deploy the App Registrations on your behalf, and that will output a Parameters file you can feed into the second step where the Azure infrastructure is deployed.
Two Part Deployment:
Deploym…