Issue
I received the following error when attempting to load and run the bicep file as part of the Microsoft Azure integration:
(AuthorizationFailed) The client 'user@domain.com' with object id '<object ID>' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '<scope ID>' or the scope is invalid.
Environment
Red Canary
Microsoft Azure
Resolution
A user with Global Administrator permissions will need "owner" level permissions granted at the root level to be able to distribute the proper permissions to all subscriptions.
- Assign the "owner" role at the root level to the user currently logged in.
az role assignment create --scope '/' --role 'Owner' --assignee-object-id $(az ad signed-in-user show --query userPrincipalName --output tsv) --assignee-principal-type User
- Confirm the user has the correct permissions assigned.
az role assignment list --scope "/" --role "Owner" --assignee $(az ad signed-in-user show --query userPrincipalName --output tsv)
- Complete the remaining steps for your Azure integration via Integrate Microsoft Azure with Red Canary
- Once complete, revoke the "owner" level permissions at the root level.
az role assignment delete --assignee $(az ad signed-in-user show --query userPrincipalName --output tsv) --scope "/" --role "Owner"
- Confirm the permissions have been removed using the following command
az role assignment list --assignee $(az ad signed-in-user show --query userPrincipalName --output tsv) --all
Cause
By default, Azure does not grant access to deploy or manage the root level management group. A user with Global Administrator permissions can grant themselves the needed permissions at the root level for the purposes of this integration and revoke them when completed.
See below from Microsoft for more information:
Elevate access to manage all Azure subscriptions and management groups - additional Microsoft documentation on why elevated access is needed and how it works
Management group access - additional information on management group permissions
Comments
0 comments
Please sign in to leave a comment.