Search code examples
azureazure-managed-identityazure-policy

ResourceIdentityRequired Error - Azure Policy assignments must include a 'managed identity'

I am trying to assign this policy But I am receiving error below:

New-AzPolicyAssignment -Name  $policyNameToAssign -DisplayName $PolicyDisplayName -Scope $Subscription -PolicyDefinition $definition
# Enter: DCRResourceID string
New-AzPolicyAssignment: ResourceIdentityRequired : The policy assignment 'PolicyName' request is invalid. Policy assignments must include a 'managed identity' when assigning 'DeployIfNotExists' policy definitions. Please see https://aka.ms/azurepolicyremediation for usage information.

What is missing in the policy?

Solution

  • Note that, policies with the deployIfNotExists and modify effect types must specify identity while doing policy assignments from CLI/PowerShell.

    When I ran below PowerShell script to assign policy without including any identity, I too got same error as below:

    $assignmentName = "Devipolicy"
$subscriptionId = "/subscriptions/b83c1ed3-c5b6-44fb-b5ba-xxxxxxxx"
$policyDefName = "sripolicy"

# Get the policy definition
$policyDefinition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq $policyDefName }

New-AzPolicyAssignment -Name $assignmentName -Scope $subscriptionId -PolicyDefinition $policyDefinition

    Response:

    enter image description here

    To resolve the error, you need to add either system-assigned or user-assigned managed identity by including identity related parameters in command, that are required to deploy resources and edit tags on existing resources respectively.

    In my case, I modified the script by including -IdentityType parameter with 'SystemAssigned' value and got the response successfully like below:

    $assignmentName = "Devipolicy"
$subscriptionId = "/subscriptions/b83c1ed3-c5b6-44fb-b5ba-xxxxxxxx"
$policyDefName = "sripolicy"

# Get the policy definition
$policyDefinition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq $policyDefName }

New-AzPolicyAssignment -Name $assignmentName -Scope $subscriptionId -PolicyDefinition $policyDefinition -Location 'eastus' -IdentityType 'SystemAssigned'

    Response:

    enter image description here

    When I checked the same in Portal, policy assignment created with system-assigned managed identity like below:

    enter image description here

    Reference: New-AzPolicyAssignment: ResourceIdentityRequired - GitHub by ishepherd