Backfitting permissions from New-AzRoleAssignment (Failed) #125
-
Hi there. I have the exact problem described in the troubleshooting guide for New-AzRoleAssignment (Failed). It's not feasible for me to be able to deploy IPAM as an AAD Global Admin or with role assignments write on the tenant root. What action can I take post deployment to backfit this permission to the IPAM solution? The part that errors in the deploy script is a role assignment for the engine application. Can that be given the role assignment post deployment over the tenant root group to resolve the permissions problem? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
Hi @GeordieGuy, thanks for reaching out on the discussions! The "Global Admin" component only really comes into play when the script attempts to grant Admin Consent to the App Registrations. The issue you're running into appears to be that you don't have the appropriate permissions at the Tenant Root Group to assign "Reader" to the IPAM Engine App Registration (if I'm understanding your problem correctly). We have a 2-part deployment option, where in the first part, a team within your organization can deploy the App Registrations on your behalf, and that will output a Parameters file you can feed into the second step where the Azure infrastructure is deployed. Two Part Deployment: In your case, I'm hypothesizing that the correct API Permissions were assigned to the App Registrations, but the Engine App Registration couldn't be assigned "Reader" at the Tenant Root Group, and most likely the Admin Consent wasn't granted for the API Permissions on the App Registrations. I hope that helps (at least a little). If not I'm more than happy to elaborate a bit more, or help you personally in a 1:1 session. Just let me know how else we can be of assistance to you! |
Beta Was this translation helpful? Give feedback.
Hi @GeordieGuy, thanks for reaching out on the discussions!
The "Global Admin" component only really comes into play when the script attempts to grant Admin Consent to the App Registrations. The issue you're running into appears to be that you don't have the appropriate permissions at the Tenant Root Group to assign "Reader" to the IPAM Engine App Registration (if I'm understanding your problem correctly).
We have a 2-part deployment option, where in the first part, a team within your organization can deploy the App Registrations on your behalf, and that will output a Parameters file you can feed into the second step where the Azure infrastructure is deployed.
Two Part Deployment:
Deploym…