Does anyone else get error when creating Azure IPAM Engine Service Principle? #45
-
I get this error when deploying the IPAM project (FULL) New-AzRoleAssignment: /Users/[email protected]/.local/share/powershell/Modules/Az.Resources/6.1.0/MSGraph.Autorest/custom/New-AzADServicePrincipal.ps1:752 IPAM still deploys and appears to work as expected (still testing) but I wondered if anyone else had encountered this error and/or knew how to fix it? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
Hi @jonprattC78. Have you double-checked the prerequisites section found here: https://azure.github.io/ipam/#/deployment/README?id=prerequisites The user you deploy the IPAM solution with needs to be able to change RBAC at the Root Management Group level, so you would need to be Owner, User Access Admin, or some equivalent Custom Role. That line you highlighted above it attempting to assign "Reader" permissions at the scope "/", and of course if you don't have permissions to do so, it will fail. For paradigms where one user doesn't have enough permissions to both create & assign Service Principal role, and deploy the Azure Infrastructure, we offer a two-part deployment in which the appropriate team can deploy the SP's and assign their roles, then pass a generated parameters file to the team responsible for Azure Infrastructure to complete the deployment. Apps Only Deploy: https://azure.github.io/ipam/#/deployment/README?id=app-registration-only-deployment Hope that helps. As always, please let me know if you're still having issues and we'll do what we can to make sure that you're well taken care of! |
Beta Was this translation helpful? Give feedback.
-
Thanks @DCMattyG - clear out the auth token and re-auth'd as suggested. |
Beta Was this translation helpful? Give feedback.
Hi @jonprattC78. Have you double-checked the prerequisites section found here:
https://azure.github.io/ipam/#/deployment/README?id=prerequisites
The user you deploy the IPAM solution with needs to be able to change RBAC at the Root Management Group level, so you would need to be Owner, User Access Admin, or some equivalent Custom Role.
That line you highlighted above it attempting to assign "Reader" permissions at the scope "/", and of course if you don't have permissions to do so, it will fail.
For paradigms where one user doesn't have enough permissions to both create & assign Service Principal role, and deploy the Azure Infrastructure, we offer a two-part deployment in which the approp…