0

I'm trying to create Management Groups using the Azure Landing Zones bicep template as follows:

az deployment tenant create --location westeurope --template-file managementGroups.bicep

However, I'm getting the following error:

The client 'xxx' with object id 'yyy' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/providers/Microsoft.Resources/deployments/managementGroups' or the scope is invalid.

For deployment I'm using a dedicated service principal (AAD Application Registration), which has an "Owner" role assigned at the level of the "Tenant Root Group" management group.

I also tried creating a custom RBAC role with action 'Microsoft.Resources/deployments/validate/action' and scope '/providers/Microsoft.Resources/deployments/managementGroups' but it's invalid. It only allows the scope '/providers/Microsoft.Resources/deployments/managementGroups/id-of-root-mg'.

What is strange is that when I execute the template using my personal account (not aad application), which also is an Owner at the "Tenant Root Group", then it works.

filip
  • 1,444
  • 1
  • 20
  • 40

1 Answers1

0

At the management group level, give your service principal the Owner role to grant it the necessary permissions to deploy the Bicep template.

And also, you can create a custom role and assign the appropriate permissions as you already did. Instead of deploying it through the template or Portal, try using Azure Powershell as shown below.

$roleDef = New-AzRoleDefinition -Name "CustomRole" -Description  "xxx" -Actions "Microsoft.Resources/deployments/validate/action", "Microsoft.Resources/deployments/write" -AssignableScopes  "/providers/Microsoft.Management/managementGroups/<managementGroupName>" 
New-AzRoleAssignment -ObjectId (Get-AzADServicePrincipal -DisplayName <servicePrincipalName>).Id -RoleDefinitionName "CustomRole" -Scope "/providers/Microsoft.Management/managementGroups/<managementGroupName>"

Refer this article by @CODING WITH TAZ for better understanding of bicep template for creating and deploying the management groups.

when I execute the template using my personal account (not aad application), which also is an Owner at the "Tenant Root Group", then it works.

Regarding this issue, Check if any restrictions or firewalls are being blocked for deployments by other tenant roots in the same subscription. Check with the administrator for the restricted privileges.

Jahnavi
  • 3,076
  • 1
  • 3
  • 10
  • What actually helped was assigning Owner role with az cli: az role assignment create --scope '/' --role 'Owner' --assignee-object-id It seems assigning via portal on the root management group level wasn't enough. – filip Jul 18 '23 at 19:22
  • Yes, either CLI or PowerShell commands helps to sort out these kind of issues. @filip – Jahnavi Jul 19 '23 at 03:43