Azure - RBAC to Management Group
I'm unable to create a Service Connection for a Management Group. Below are more details
I have created a Management Group (my-mg)and added/assigned 2 subscriptions (dev-sub & prod-sub)
Created an App Registration say MG-APP
Assigned MG-APP the Management Group Contributor role in both dev-sub & prod-sub subscriptions
In Azure DevOps, I'm trying to create a Service Connection at Management Group Level using Service Principle (manual) and gave the Service Principle ID and Secret of the MG-APP and while verifying the connection it gives the below error.
The client '117aac40-82******' with object id '117aac40-82******' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management/managementGroups/my-mg
Please let me know if I'm missing something?
Thanks, Praveen
Based on your description, I could reproduce the failure to verify the ARM service connection setup with the scope of a management group, when the underlying service principal was not granted a role assignment to the management group scope.
To set IAM over a management group, please double check in your AAD properties if you can manage access to all Azure subscriptions and management groups in this tenant; then navigate to the Access control(IAM) blade of my-mg for role assignment.
- How to check Debug.Writeline() output in VS code?
- C# API - Provide download of files from Azure Blobstorage
- localhost:300/api is not working : "This page isn’t working"
- Creating an Azure Linux VM with Ubuntu 20.04 with Terraform
- Failed to deploy path that does not exist
- Using Azure WAF for my server(not in Azure)
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday
- Diagnostic setting not included in Azure Portal ARM template export
- How do I read the original pdf file in set indexer datasource in a custom WebApiSkill after enabling "Allow Skillset to read file data"
- How do I store vectors generated by AzureOpenAIEmbeddingSkill in indexer given my current setup
- Authenticating using the Azure CLI is only supported as a User (not a Service Principal)
- Azure Function App - frequent hang and deadlocks
- Sign Tool for Azure Trusted Service Account Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
- How to convert the premium file share to premium block blob storage account or standard general purpose v2 storage account?
- How to generate an azure blob url with SAS signature in nodejs sdk v12?
- How to Assign Role to New User with Graph API
- Directory disappears from azure cloud shell (home)
- Application Insights Logging Exceptions as Trace
- Issue with Azure key vault and Azure storage account deployment
- AddDataProtection().PersistKeysToAzureBlobStorage().ProtectKeysWithAzureKeyVault() getting httpVerb Error while accessing the blob storage
- temporary_name_for_rotation must be specified when changing any of the following properties: pod_subnet_id
- Native Node.js Metrics in Application Insights
- Azure Key Vault Disabled public access, how to access it through the portal via internet
- Using Google.Cloud.BigQuery.V2 API in Azure Functions
- Azure Functions no job found (python)
- Azure Machine Learning - Online Endpoint Schedule/Cost management
- Is it possible to read File from same folder where Azure function exists
- Make WAF policy to only allow Azure Load Testing or Azure Services