Search code examples
azureazure-resource-managerazure-bicepazure-rbac

RBAC with bicep


Im trying to assing the AD group to my storage account as contributor and also storage blob data contributor using the Servicie principal that is owner at sub level.

param storageAccountName string
param roleId array
param adGroup string
param principalType string = 'Group'

// reference to storage account
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = {
  name: storageAccountName
}

resource roleAssignment1 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for roleId in roleId:  {
  name: guid(subscription().subscriptionId, resourceGroup().name, storageAccountName, roleId, adGroup)
  scope: storageAccount
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleId)
    principalId: adGroup
    principalType: principalType
  }
}
]

I get this error

code":"GroupTypeNotSupported","message":"Only security-enabled groups can be used in role assignments."}

Solution

  • Only MS Entra group of Type Security can be assigned. You can check the group type in MS Entra.
    Once you've updated the group type, it should work.

    Note: if you've created manually the role assignment, a random guid was assigned so when running your bicep file, it will try to create a new role assignment with a different name (guid(subscription().subscriptionId, resourceGroup().name, storageAccountName, roleId, adGroup). Delete the existing role assignment first and create it again using bicep.