Microsoft Cloud Adoption Framework with Terraform - correct RBAC setup

Question

We are trying to implement the CAF, using the CAF Terraform module provided by Microsoft. My issue is, what kind of RBAC roles, should developers of the code have. As it is now, I have a managed identity, and when I run the terraform code, there are Management Groups that get created. I can see them in the terraform state. But I can not see them in the portal. When I try to access them trough az, to verify:

az account management-group list

I get an access denied error:

(AuthorizationFailed) The client 'xapr@xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management' or the scope is invalid. If access was recently granted, please refresh your credentials.

I am already subscription owner, and I have asked our Global Administrator, but they also didnt know. We tried adding the "Management Group Contributor" role to my identity fore each subscription. Same error.

So the question is, what role / group assignment should devops engineers have, to verify that the correct ressources are created? It feels scary to run code, that you cant see the results of!

Answer 1

The error "(AuthorizationFailed) The client 'xapr@xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management' or the scope is invalid. If access was recently granted, please refresh your credentials." usually occurs if the user doesn't have sufficient permissions to perform the action.

The issue occurs when you are assigning Management Group Contributor role in the subscription level not the Management Group Level.

I assigned the Management Group Contributor role in the subscription level for a user:

When I ran the command, I got the same error:

az account management-group list

Hence, to resolve the error, I assigned the Management Group Contributor role like below:

Go to Management Groups -> Select the Group -> Access control (IAM) -> Add role assignment -> Management Group Contributor -> Select Members -> Review+assign

After assigning the permissions, I am able to display the management group:

az account management-group list

To check what scope you have assigned permissions, run the below command:

Connect-AzAccount

Get-AzRoleAssignment -RoleDefinitionName "Management Group Contributor"

Note that: The scope to list management group must be /providers/Microsoft.Management/managementGroups/xxx which is assigning at management group level. When you assign the scope in subscription level it shows as /subscriptions/xxx.

References:

What permissions are required to iterate Management Groups (in powershell) - Microsoft Q&A by Saurabh Sharma

azure - error when running Get-AzManagementGroup PowerShell Command - Stack Overflow by Hannel