Comments (11)
Can you point me to the template you are deploying?
From an RBAC perspective, we require the customer (who onboard) to be Owner.
from azure-lighthouse-samples.
Thanks for a quick reply @krnese
This is the template I'm using:
https://github.com/Azure/Azure-Lighthouse-samples/blob/master/Azure-Delegated-Resource-Management/templates/delegated-resource-management/delegatedResourceManagement.json
from azure-lighthouse-samples.
And you are:
- Deploying this as a user in the customer tenant?
- The user has Owner permission at the subscription?
- You deploy it as a subscription level template (New-AzDeployment / az deployment create)?
from azure-lighthouse-samples.
I'm deploying it in the customer tenant using New-AzDeployment. I'm the GA in the customer tenant and owner on the subscription in the customer tenant.
I created a TemplateParameterFile by including my Principal ID and Reader Role Def ID in the authorizations section of the file.
from azure-lighthouse-samples.
Are you deploying it as a guest account, or a user belonging to the customer AAD?
Can you pls deploy it as a user originating from the customer AAD with Owner permission at scope?
from azure-lighthouse-samples.
I followed the Powershell steps mentioned in this document
https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer
I'm a user in customer AAD and I have owner permission at the subscription
from azure-lighthouse-samples.
Thanks. Can you please open a support ticket so we can investigate further?
from azure-lighthouse-samples.
I experienced exactly the same issue.
i was connected with azure ad only (connect-azureAD).
When i connected to the azure account it worked (Connect-AzAccount).
Good Luck!
from azure-lighthouse-samples.
Let me try that
Thanks @dorankerkhofs
from azure-lighthouse-samples.
Did it work?
from azure-lighthouse-samples.
Sorry for reopening this, but I'm facing the same issue. I want to onboard user into my tenant. The user that executes the template, has a custom role, and he is not an Owner. The custom role has such permissions:
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/deploymentScripts/read",
"Microsoft.Resources/deploymentScripts/write",
"Microsoft.Resources/deploymentScripts/delete",
"Microsoft.Resources/deploymentScripts/logs/read",
"Microsoft.ManagedServices/registrationDefinitions/write",
"Microsoft.ManagedServices/registrationAssignments/write",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/deployments/whatIf/action",
"Microsoft.Resources/deployments/exportTemplate/action",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"Microsoft.ManagedServices/register/action",
"Microsoft.ManagedServices/unregister/action",
"Microsoft.ManagedServices/marketplaceRegistrationDefinitions/read",
"Microsoft.ManagedServices/operations/read",
"Microsoft.ManagedServices/registrationAssignments/read",
"Microsoft.ManagedServices/registrationAssignments/delete",
"Microsoft.ManagedServices/registrationDefinitions/read",
"Microsoft.ManagedServices/registrationDefinitions/delete",
"Microsoft.ManagedServices/operationStatuses/read",
"Microsoft.ManagedIdentity/register/action",
"Microsoft.ManagedIdentity/operations/read",
"Microsoft.ManagedIdentity/identities/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/delete",
"Microsoft.ManagedIdentity/userAssignedIdentities/listAssociatedResources/action",
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
I tried to deploy the template but I'm getting InsufficientPrivilegesForManagedServiceResource
. For me, it looks like I do have enough permissions. Do I still need to have an "Owner" role for the deployment?
from azure-lighthouse-samples.
Related Issues (20)
- How to onboard multiple subscription which is present in the same tenant in azure lighthouse ? HOT 5
- Support for delegated management for management groups? HOT 2
- Subscription Deployment Schema is wrong date
- Can't Deploy Sample AZ Policy Template in Azure Portal
- How to compare authorizations array
- Automatic remediation (onboarding)
- whether "authorization" parameter in the ARM template is necessary or not
- Register Managed Services RP Partner error AADSTS500113 HOT 2
- Create-AzDiagPolicy.ps1 can't set diagnostic settings on subresources of StorageAccount
- API not retrieving tenant actions
- This repo is missing important files
- Create-AzDiagPolicy.ps1 fails for resourceType Microsoft.NetApp/netAppAccounts/capacityPools/volumes (and potentially others)
- Add PIM support for 'policy-delegate-management-groups' deployment. HOT 1
- Parsing of description for DelegatedResourceId & CustomerTenant ID fails on PSCore with Az.Resources 1.13.0
- delegated-resource-management-eligible-authorizations - asks for register preview feature HOT 6
- Template file to onboard subscription is invalid HOT 5
- Can't view customers from service providers view in Azure Lighthouse HOT 1
- Lighthouse Subscription Deployment fails HOT 1
- Deployment of Management Group level policy for Lighthouse fails HOT 5
- rg-delegated-resource-management - Give customer a dropdown list.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azure-lighthouse-samples.