Azure - RBAC to Management Group
I'm unable to create a Service Connection for a Management Group. Below are more details
I have created a Management Group (my-mg)and added/assigned 2 subscriptions (dev-sub & prod-sub)
Created an App Registration say MG-APP
Assigned MG-APP the Management Group Contributor role in both dev-sub & prod-sub subscriptions
In Azure DevOps, I'm trying to create a Service Connection at Management Group Level using Service Principle (manual) and gave the Service Principle ID and Secret of the MG-APP and while verifying the connection it gives the below error.
The client '117aac40-82******' with object id '117aac40-82******' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management/managementGroups/my-mg
Please let me know if I'm missing something?
Thanks, Praveen
Based on your description, I could reproduce the failure to verify the ARM service connection setup with the scope of a management group, when the underlying service principal was not granted a role assignment to the management group scope.
To set IAM over a management group, please double check in your AAD properties if you can manage access to all Azure subscriptions and management groups in this tenant; then navigate to the Access control(IAM) blade of my-mg for role assignment.
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Create Azure TimerTrigger Durable Function in python
- Azure File Share: Cannot map network drive
- RBAC with bicep
- ADF expression to convert array to comma separated string
- How to get status of Azure machine learning service pipeline run using Rest Api?
- How do I deploy a Nuxt 3 solution to an Azure Node Web App
- Azure Blob Upload not working in ASP .Net Core Application
- How to clear a Cosmos DB database or delete all items using Azure portal
- Using script commands, how to add multiple scale rules to an Azure Container App?
- User Assigned Managed Identity: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId
- Generate resources dynamically from another group of dynamically generated resources in Terraform
- Column reordering in ADF
- Logic App AuthorizationFailure - vnet integration needed
- Azure blob, controlling filename on download
- Azure VNet peering with Private Link
- Get Private FQDNs, IPs, Names of the Private Endpoints for the Azure resources deployed in an Virtual Network using PowerShell Script
- How to configure appsettings on a auto-generated preview environment
- Using Azure DevOps, how do I migrate a release pipeline to code, similar to build pipeline yml?
- Root login Ubuntu VM on Azure
- Filtering azure devops release build based upon build tag with "Continuous deployment trigger"
- Azure WebApp autoscale
- How to handle long startup times in Azure App Service deployment
- Frontend not available when front and back on same Web App Azure
- Use Salesforce Connectors from Hosted Azure Logic App in VSCode?
- What is considered an ingestion request in Azure Data Explorer?
- Provisioning (SCIM) by Entra/Azure: Why can I not select the "groups" attribute in my attribute mapping?
- Azure function verbose trace logging to Application Insights
- Azure function app GraphServiceClient create list
- Cypress tests fail to run in parallel mode due to mismatched specs between different runs