Does anyone else get error when creating Azure IPAM Engine Service Principle?

[jonprattC78]

I get this error when deploying the IPAM project (FULL)

New-AzRoleAssignment: /Users/[email protected]/.local/share/powershell/Modules/Az.Resources/6.1.0/MSGraph.Autorest/custom/New-AzADServicePrincipal.ps1:752
Line |
752 | $ra = New-AzRoleAssignment @param
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Operation returned an invalid status code 'Forbidden'

IPAM still deploys and appears to work as expected (still testing) but I wondered if anyone else had encountered this error and/or knew how to fix it?

[DCMattyG]

Hi @jonprattC78. Have you double-checked the prerequisites section found here:

https://azure.github.io/ipam/#/deployment/README?id=prerequisites

The user you deploy the IPAM solution with needs to be able to change RBAC at the Root Management Group level, so you would need to be Owner, User Access Admin, or some equivalent Custom Role.

That line you highlighted above it attempting to assign "Reader" permissions at the scope "/", and of course if you don't have permissions to do so, it will fail.

For paradigms where one user doesn't have enough permissions to both create & assign Service Principal role, and deploy the Azure Infrastructure, we offer a two-part deployment in which the appropriate team can deploy the SP's and assign their roles, then pass a generated parameters file to the team responsible for Azure Infrastructure to complete the deployment.

Apps Only Deploy: https://azure.github.io/ipam/#/deployment/README?id=app-registration-only-deployment
Infra Only Deploy: https://azure.github.io/ipam/#/deployment/README?id=infrastructure-stack-only-deployment

Hope that helps. As always, please let me know if you're still having issues and we'll do what we can to make sure that you're well taken care of!

[jonprattC78]

Thanks for the quick reply. I was not noticing my Owner account did not permissions on the Tennant root level. Have corrected that and given the user I am running the deployment OWNER on the root group.

Now I get a different (never seen before) set of errors

INFO: Creating Azure IPAM UI Application
New-AzADApplication_CreateExpanded: /Users/[email protected]/.local/share/powershell/Modules/Az.Resources/6.1.0/MSGraph.Autorest/custom/New-AzADApplication.ps1:689
Line |
689 | $app = Az.MSGraph.internal\New-AzADApplication @PSBoundParameters
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| User not found

INFO: Creating Azure IPAM Engine Application
New-AzADApplication_CreateExpanded: /Users/[email protected]/.local/share/powershell/Modules/Az.Resources/6.1.0/MSGraph.Autorest/custom/New-AzADApplication.ps1:689
Line |
689 | $app = Az.MSGraph.internal\New-AzADApplication @PSBoundParameters
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| User not found

[DCMattyG]

Thanks for these details @jonprattC78, this is an error I have not seen yet.

Two thoughts (at the moment)...

1. When assigning permissions in Azure, sometimes those can take a few minutes to replicate, so I'm not sure how long you waited after the role assignment and running the deployment again.
2. If you added the role assignment and did NOT re-connect/authenticate to Azure PowerShell, it's likely you have an older auth token. You could try running Disconnect-AzAccount, followed by Connect-AzAccount again to refresh the token.

Perhaps you could trying one or more of the above, and update me with any progress. Otherwise, happy to help troubleshoot this further as required.

[jonprattC78]

Thanks @DCMattyG - clear out the auth token and re-auth'd as suggested.
First deployment without any red errors - so that's really great.
Thank you for being so responsive!

[DCMattyG]

You bet, happy to help with anything else you need!