Trying to onboard multiple subscription which is present in the same tenant in azure light house. Not able to find such ARM template.

At present once the policy is deployed, any changes in the authorisations in the parameters will not make the policy non-compliant as the policy rule only checks for managedByTenantId

I can use the Microsoft.ManagedServices/registrationDefinitions/authorizations[] to compare the length of the existing authorizations with managedByAuthorizations parameter value and Microsoft.ManagedServices/registrationDefinitions/authorizations[].roleDefinitionId for roleDefinitionIds of the authorizations, however I am not able to use / find aliases to compare all the values in the authorizations array in policy rule
Attached is what works so far.

Is there a way to do that that I am not aware of?

Is that in the works?

I would much prefer to manage policies on management groups, and not have copies of definitions and assigning on a per-subscription basis.

When deploying the Azure Lighthouse for Subscription access I find that I'm still forced to select a Resource group and the templated also fails with the following error.

When I Copy and Paste this sample policy template into the Azure Portal as a new Policy Definition I get an error message.

Here is the template:
https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/policy-add-or-replace-tag/addOrReplaceTag.json

Error Message:
Creating policy definition 'TEST' in 'Training' failed. The request content was invalid and could not be deserialized: 'Required property 'policyRule' expects a value but got null. Path 'properties', line 1, position 168.'.

I've tried a few other sample policies from github and received similar error messages.

Both Sample documents from this Microsoft Document article I'm not able to deploy as well.
https://docs.microsoft.com/en-us/azure/lighthouse/how-to/deploy-policy-remediation#create-a-user-who-can-assign-roles-to-a-managed-identity-in-the-customer-tenant

Please tell me what I missing.
Thank you!

The issue:
Adding the registered app from step 1 to the customer tenants in step 2 fails due to no reply address.

What I tried:
I tried adding https://<functionName>.azurewebsites.net/.auth/login/aad/callback as the callback but this resulted in a different error, a 404 error.

I created a registered app to use as the service principal described in step 1.
Step 2 describes adding that registered app to the customer tenants using this pattern: https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}.
Navigating to the built URL resulted in a failure to sign in and returned an AADSTS500113 error stating that there's no reply address registered for the application.

Since we're using the registered app for the service principal and it's not a real web application, what reply address should we use in the registered app?

I just create a Resource Group delegate access to my client resource group with Contributor Role.
We can access everything but Function Apps. I can even access the storage account of my function.

The error message is:

I'm using this template to do it:

rg-delegated-resource-management

hi guys,

im trying to test out below arm template, but i'm getting the following error:
https://github.com/Azure/Azure-Lighthouse-samples/tree/master/templates/delegated-resource-management-eligible-authorizations

How can i register the subscription for 'registered for managed services preview feature 'GovernanceSettingsPreview' this'?

thanks in advance!

What happened with the API to get the tenant-level registration and unregistration data?

The specific user querying the API can get see the directory data within the Azure Portal, but loading either the API for:

"https://management.azure.com/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&`$filter=eventTimestamp ge '$($dateFormatForQuery)'"

, or the query that the Azure Portal is using:

https://management.azure.com/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&1$filter=eventTimestamp ge '$($dateFormatForQuery)' and eventTimestamp le '$($dateFormatForQueryHigher)'and eventChannels eq 'Admin, Operation' and resourceProvider eq 'Microsoft.Resources'

Return information, but NOT the specific registration and unregistration data.

Is this expected?

Issue in parsing:

DelegatedResourceId = $registerOutput.description |%{$.split('"')[11]};
CustomerTenantId = $registerOutput.description |%{$.split('"')[7]};

Description retrieved from rest:

$registerOutput.description

{"subscriptionId":"","subscriptionTenantId":"","delegationResourceId":""}

Parsing could be done with e.g. ConvertFrom-Json.

REquire PIM eligibility for policy-delegate-management-groups deployment method.

i.e. users have to PIM for eligibility roles for 8 hours to gain access.

Hi There,

I'm trying to deploy the ARM template "delegatedResourceManagement" to a customers subscription.

The account being used to deploy has Contributor permission to the subscription I'd like to deploy into.

My subscription is provided via a CSP (Cloud Service Provider)

I have found that on the Access Control page of the subscription, under the "Classic Administrators" section that there is the following advisory message:
"This type of subscription does not support classic administrators."

There are no classic administrators listed.

Please see the full error below:
New-AzDeployment : 8:12:23 PM - Resource Microsoft.ManagedServices/registrationDefinitions 'c62a69fe-8c56-57fc-8f1a-8be43d413609' failed with message '{
"error": {
"code": "ClassicAdministratorListFailed",
"message": "Failed to list classic administrators of subscription 'dec6084b-c0eb-43d3-95e2-8a07f1bd2c68': 'The subscription ID was not found.'."
}
}'

Is this template dependent on being classic administrator supported?
Is there any workaround to this issues?

Please let me know if you would like me to provide any additional information and I would be more than happy to provide.

Hi,

during creation of the policy i created a system assigned managed identity for remediation.
When i create a remediation task manually of non-compliant subscriptions, everything works fine.

However, am i getting it right that auto-remediation does not work for subscriptions which have been created before the policy was created?

Thanks in advance!

Suggestion: The demo would work better (personal opinion) when you include the function as you build here: https://github.com/Azure/Azure-Lighthouse-samples/blob/master/Azure-Delegated-Resource-Management/tools/get-azdelegatedsubscription/Get-AzDelegatedSubscription.ps1

As the demo script here: https://github.com/Azure/Azure-Lighthouse-samples/tree/master/Azure-Delegated-Resource-Management/tools/lighthouse-demo will run on all subscriptions that one would have access too ($subs = get-azsubscription), not just the ones added through delegated resource management.

Just an idea :) but awesome examples!

Hi all,

I tried to use the following template to assign authorizations to the roles.
https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/rg/rg.parameters.json
I do not want to have the permanent role assignments for any principle and I only want to assign the PIM for principles.

I tried to delete "authorization" parameters both in the ARM template and parameter file. I only kept and configured the "eligibleAuthorizations" part which set up the PIM values. I deployed this ARM template and the following error came out.

{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "InvalidTemplate",
"message": "Unable to process template language expressions for resource '/subscriptions/xxxx/providers/Microsoft.ManagedServices/registrationDefinitions/xxxxx' at line '71' and column '9'. 'The template parameter 'authorizations' is not found. Please see https://aka.ms/arm-template/#parameters for usage details.'"
}
]
}

May I ask whether this "authorization" is required and the necessary reason? Is it possible to only use the PIM in this template?

Thanks in advance!

I'm trying to deploy rgDelegatedResourceManagement using the supplied template and parameter files.

Powershell command:

New-AzResourceGroupDeployment -ResourceGroupName LighthouseTest -TemplateFile .\rgDelegatedResourceManagement.json -TemplateParameterFile .\rgDelegatedResourceManagement.parameters.json

Raw error:
(Subscription id in error is masked by me but matches the target subscription for the deployment)

{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details.",
"details": [
{
"code": "BadRequest",
"message": "{\r\n "error": {\r\n "code": "InvalidRegistrationDefinitionUri",\r\n "message": "The registration definition request scope '/subscriptions/99999999-9999-9999-9999-999999999999/resourcegroups/LighthouseTest' should be '/subscriptions/<subscriptionId>'."\r\n }\r\n}"
}
]
}

Parameter file:
(Tenant id and principal id are masked by me below but match the Azure AD tenant id and security group ids for the Azure AD and security group which is requesting delegated permissions)

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mspName": {
"value": "Breakpoint Technology"
},
"rgName": {
"value": "LighthouseTest"
},
"mspOfferDescription": {
"value": "Breakpoint Technology - AI Analysis"
},
"managedByTenantId": {
"value": "11111111-1111-1111-1111-111111111111"
},
"authorizations": {
"value": [
{
"principalId": "22222222-2222-2222-2222-222222222222",
"principalIdDisplayName": "Lighthouse Test",
"roleDefinitionId": "73c42c96-874c-492b-b04d-ab87d138a893"
}
]
}
}
}

I have confirmed the target subscription has the Microsoft.ManagedServices provider registered.

Is there a way to give the owner role (Not contributer role) to a managed service provider?

Description

In the Parse-ResourceType function found in the Create-AzDiagPolicy.ps1 script there are currently checks for 1 or 2 / characters, but not 3.

Block in question:

    if($ResourceType.Split("/").count -eq 3)
    {
        $nameField = "fullName"
        $DirectoryNameBase = "Apply-Diag-Settings-$sinkDest-" + $($resourceType.Split("/", 3))[0] + "-" + $($resourceType.Split("/", 3))[1] + "-" + $($resourceType.Split("/", 3))[2] + $KindDirVar
    }
    if($ResourceType.Split("/").count -eq 2)
    {
        $nameField = "name"
        $DirectoryNameBase = "Apply-Diag-Settings-$sinkDest-" + $($resourceType.Split("/", 2))[0] + "-" + $($resourceType.Split("/", 2))[1] + $KindDirVar
    }

Command Ran

.\Create-AzDiagPolicy.ps1 -ExportLA -ValidateJSON -ManagementGroup -ManagementGroupID <management_group_id> -ExportAll -ExportDir policies -AllRegions

Error

Update-LogAnalyticsJSON : Cannot bind argument to parameter 'nameField' because it is an empty string.
At C:\Users\<user>\Documents\WindowsPowerShell\Scripts\Create-AzDiagPolicy.ps1:2376 char:153
+ ... rray $metricsArray -logsArray $logsArray -nameField $RPVar[1] -kind $ ...
+                                                         ~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Update-LogAnalyticsJSON], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Update-LogAnalyticsJSON

Expected Behavior

Diagnostic Policy JSON is generated for Microsoft.NetApp/netAppAccounts/capacityPools/volumes

Another registration assignment present at this scope '/subscriptions/b0458dd6e' for registration definition '/subscriptions/b0458dd6e/providers/microsoft.managedservices/registrationdefinitions/f8b9****1dc3a'. Multiple registration assignments are not allowed.

If a Lighthouse definition is assigned one or more resource groups, then only those selected resource groups should be projected. (This is an ARM RBAC mechanism with defined authorisations and selected assignment scopes.)

However if there is a classic ASM role then all resource groups are projected. This will be different to what the customer expected to happen based on the delegations they see in the Service Providers blade.

Recommend that the Lighthouse projection only respects the ARM RBAC authorisations and scope points.

I think the sample template "Azure-Delegated-Resource-Management/templates/delegated-resource-management/delegatedResourceManagement.json" makes use of an inexistent parameter "mspName". Al least the deployment failed for me as it is, and it worked when I added the parameter...
In fact, I used a subscriptionName parameter instead, to be consistent with the sample templates for resource groups (but I'm not sure if this was the intent, or if this value finally shows up somewhere)

When invoking https://management.azure.com/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&`$filter=eventTimestamp ge '$($dateFormatForQuery)

you get in certain cases an empty result with a nextlink to fetch - or you get multiple pages with nextLink in response - so you need to iterate and fetch the result (fix coming)

It seems Microsoft has allowed setting diagnostic settings on subresoruces of StorageAccounts, eg. Blobs. This is where transaction logging is enabled.

The script at the moment doesn't seem to pick these up and as such can't automatically deploy Diagnostic settings for these.

Are there any intentions on supporting Blobs, File shares etc from Storage Accounts in the Create-AzDiagPolicy.ps1 script

The template defined here: https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management/delegatedResourceManagement.json to onboard subscriptions has an extra field in the template outputs section, called delegatedRoleDefinitionIds. Presence of this field makes the template invalid, and the template cannot be deployed.

This incorrect field is removed, and the template is found to be valid and the deployment succeeds. The PR for the change is here: #80

The raw error is given below:
{
"deploymentStatusCode": -1,
"stage": 6,
"expected": true,
"error": {
"message": "Deployment template parse failed: 'Could not find member 'delegatedRoleDefinitionIds' on object of type 'TemplateOutputParameter'. Path 'outputs.authorizations.delegatedRoleDefinitionIds', line 82, position 42.'."
},
"subscriptionId": "cb729363-8115-4333-ac0f-99e4b64d2634",
"location": "eastus",
"deploymentName": "Microsoft.Template-20200901215323",
"details": {
"code": "InvalidTemplate",
"message": "Deployment template parse failed: 'Could not find member 'delegatedRoleDefinitionIds' on object of type 'TemplateOutputParameter'. Path 'outputs.authorizations.delegatedRoleDefinitionIds', line 82, position 42.'.",
"additionalInfo": [
{
"type": "TemplateViolation",
"info": {
"lineNumber": 0,
"linePosition": 0,
"path": ""
}
}
]
}
}

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

It should be 2018-05-01
https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#

Trying to deploy rgWithAzureMgmt, I get the following error:
400 Client Error: Bad Request for url: https://management.azure.com/subscriptions/...

I am deploying from azcli using:
az deployment create --subscription --name ASCDeployment2 --template-file .\rgWithAzureMgmt.json --location eastus --verbose

I have tried it specifying --parameters using either one of the two files as well...

Let me know if I can provide more information!

Thanks,
Dave

Is there a way to edit the template so that the customer can select a Resource Group from a dropdown list when deploying in Azure portal?
I am Attempting to use a deploy to Azure button, when the link is used by the customer the Resource Group field lokks like:
[{"rgName":"test"},{"rgName":"test2"},{"rgName":"test3"}]****

Then trying to deploy the policy to delegate subscriptions at management group level I get the following error:

New-AzManagementGroupDeployment -Name onboard-lighthouse -Location westeurope -ManagementGroupId core-mgr -TemplateFile .\deployLighthouseIfNotExistManagementGroup.json -TemplateParameterFile .\deployLighthouseIfNotExistsManagementGroup.parameters.json -Verbose
VERBOSE: 
VERBOSE: 10:49:49 AM - Template is valid.
VERBOSE: 10:49:50 AM - Create template deployment 'onboard-lighthouse'
VERBOSE: 10:49:50 AM - Checking deployment status in 5 seconds
New-AzManagementGroupDeployment : 10:49:55 AM - The deployment 'onboard-lighthouse' failed with error(s). Showing 1 out of 1 error(s).
Status Message: The policy definition 'Enable-Azure-Lighthouse' rule is invalid. The 'field' property 'Microsoft.ManagedServices/registrationAssignments/registrationDefinitionProperties.managedByTenantId' of the policy rule doesn't exist as an alias under provider 'Microsoft.ManagedServices' and resource     
type 'registrationAssignments'. The supported aliases are 'Microsoft.ManagedServices/registrationAssignments/registrationDefinitionId; Microsoft.ManagedServices/registrationAssignments/provisioningState; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.description; 
Microsoft.ManagedServices/registrationAssignments/registrationDefinition.authorizations[*].principalId; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.authorizations[*].roleDefinitionId; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.authorizations[*];      
Microsoft.ManagedServices/registrationAssignments/registrationDefinition.authorizations; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.registrationDefinitionName; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.provisioningState; 
Microsoft.ManagedServices/registrationAssignments/registrationDefinition.manageeTenantId; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.manageeTenantName; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.managedByTenantId; 
Microsoft.ManagedServices/registrationAssignments/registrationDefinition.managedByTenantName; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.plan.name; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.plan.publisher; 
Microsoft.ManagedServices/registrationAssignments/registrationDefinition.plan.product; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.plan.version; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.plan; 
Microsoft.ManagedServices/registrationAssignments/registrationDefinition.id; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.type; Microsoft.ManagedServices/registrationAssignments/registrationDefinition.name; 
Microsoft.ManagedServices/registrationAssignments/registrationDefinition'. Please open a CSS ticket at https://azure.microsoft.com/support/create-ticket to request new aliases. (Code:InvalidPolicyAlias)
CorrelationId: ae50a5dd-7463-4476-b30e-1093f451a0ae
At line:1 char:1
+ New-AzManagementGroupDeployment -Name onboard-lighthouse -Location we ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzManagementGroupDeployment], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureManagementGroupDeploymentCmdlet

I fixed the error by changing:

"existenceCondition": {
    "allOf": [
        {
            "field": "type",
            "equals": "Microsoft.ManagedServices/registrationDefinitions"
        },
        {
            "field": "Microsoft.ManagedServices/registrationAssignments/registrationDefinitionProperties.managedByTenantId",
            "equals": "[[parameters('managedByTenantId')]"
        }
    ]
},

to:

"existenceCondition": {
    "allOf": [
        {
            "field": "type",
            "equals": "Microsoft.ManagedServices/registrationDefinitions"
        },
        {
            "field": "Microsoft.ManagedServices/registrationAssignments/registrationDefinition.managedByTenantId",
            "equals": "[[parameters('managedByTenantId')]"
        }
    ]
},

I get "InsufficientPrivilegesForManagedServiceResource" error when I run the template. Is linking partner ID a mandatory step? Can I deploy the template without a partner ID?