Giter VIP home page Giter VIP logo

Comments (11)

krnese avatar krnese commented on June 23, 2024

Can you point me to the template you are deploying?
From an RBAC perspective, we require the customer (who onboard) to be Owner.

from azure-lighthouse-samples.

jpendyala avatar jpendyala commented on June 23, 2024

Thanks for a quick reply @krnese

This is the template I'm using:
https://github.com/Azure/Azure-Lighthouse-samples/blob/master/Azure-Delegated-Resource-Management/templates/delegated-resource-management/delegatedResourceManagement.json

from azure-lighthouse-samples.

krnese avatar krnese commented on June 23, 2024

And you are:

  1. Deploying this as a user in the customer tenant?
  2. The user has Owner permission at the subscription?
  3. You deploy it as a subscription level template (New-AzDeployment / az deployment create)?

from azure-lighthouse-samples.

jpendyala avatar jpendyala commented on June 23, 2024

I'm deploying it in the customer tenant using New-AzDeployment. I'm the GA in the customer tenant and owner on the subscription in the customer tenant.

I created a TemplateParameterFile by including my Principal ID and Reader Role Def ID in the authorizations section of the file.

from azure-lighthouse-samples.

krnese avatar krnese commented on June 23, 2024

Are you deploying it as a guest account, or a user belonging to the customer AAD?
Can you pls deploy it as a user originating from the customer AAD with Owner permission at scope?

from azure-lighthouse-samples.

jpendyala avatar jpendyala commented on June 23, 2024

I followed the Powershell steps mentioned in this document
https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer

I'm a user in customer AAD and I have owner permission at the subscription

from azure-lighthouse-samples.

krnese avatar krnese commented on June 23, 2024

Thanks. Can you please open a support ticket so we can investigate further?

from azure-lighthouse-samples.

dorankerkhofs avatar dorankerkhofs commented on June 23, 2024

I experienced exactly the same issue.

i was connected with azure ad only (connect-azureAD).
When i connected to the azure account it worked (Connect-AzAccount).

Good Luck!

from azure-lighthouse-samples.

jpendyala avatar jpendyala commented on June 23, 2024

Let me try that
Thanks @dorankerkhofs

from azure-lighthouse-samples.

krnese avatar krnese commented on June 23, 2024

Did it work?

from azure-lighthouse-samples.

0x113 avatar 0x113 commented on June 23, 2024

Sorry for reopening this, but I'm facing the same issue. I want to onboard user into my tenant. The user that executes the template, has a custom role, and he is not an Owner. The custom role has such permissions:

       "permissions": [
            {
                "actions": [
                    "Microsoft.Resources/deployments/read",
                    "Microsoft.Resources/deployments/write",
                    "Microsoft.Resources/deployments/delete",
                    "Microsoft.Resources/deployments/cancel/action",
                    "Microsoft.Resources/deployments/validate/action",
                    "Microsoft.Resources/deployments/operations/read",
                    "Microsoft.Resources/deployments/operationstatuses/read",
                    "Microsoft.Resources/deploymentScripts/read",
                    "Microsoft.Resources/deploymentScripts/write",
                    "Microsoft.Resources/deploymentScripts/delete",
                    "Microsoft.Resources/deploymentScripts/logs/read",
                    "Microsoft.ManagedServices/registrationDefinitions/write",
                    "Microsoft.ManagedServices/registrationAssignments/write",
                    "Microsoft.Resources/subscriptions/resourceGroups/write",
                    "Microsoft.Resources/deployments/whatIf/action",
                    "Microsoft.Resources/deployments/exportTemplate/action",
                    "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
                    "Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
                    "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
                    "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
                    "Microsoft.ManagedServices/register/action",
                    "Microsoft.ManagedServices/unregister/action",
                    "Microsoft.ManagedServices/marketplaceRegistrationDefinitions/read",
                    "Microsoft.ManagedServices/operations/read",
                    "Microsoft.ManagedServices/registrationAssignments/read",
                    "Microsoft.ManagedServices/registrationAssignments/delete",
                    "Microsoft.ManagedServices/registrationDefinitions/read",
                    "Microsoft.ManagedServices/registrationDefinitions/delete",
                    "Microsoft.ManagedServices/operationStatuses/read",
                    "Microsoft.ManagedIdentity/register/action",
                    "Microsoft.ManagedIdentity/operations/read",
                    "Microsoft.ManagedIdentity/identities/read",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/delete",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/listAssociatedResources/action",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/read",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/write"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]

I tried to deploy the template but I'm getting InsufficientPrivilegesForManagedServiceResource. For me, it looks like I do have enough permissions. Do I still need to have an "Owner" role for the deployment?

from azure-lighthouse-samples.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.