I'm unable to create a Service Connection for a Management Group. Below are more details
I have created a Management Group (my-mg)and added/assigned 2 subscriptions (dev-sub & prod-sub)
Created an App Registration say MG-APP
Assigned MG-APP the Management Group Contributor role in both dev-sub & prod-sub subscriptions
In Azure DevOps, I'm trying to create a Service Connection at Management Group Level using Service Principle (manual) and gave the Service Principle ID and Secret of the MG-APP and while verifying the connection it gives the below error.
The client '117aac40-82******' with object id '117aac40-82******' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management/managementGroups/my-mg
Please let me know if I'm missing something?
Thanks, Praveen
Based on your description, I could reproduce the failure to verify the ARM service connection setup with the scope of a management group, when the underlying service principal was not granted a role assignment to the management group scope.
To set IAM over a management group, please double check in your AAD properties if you can manage access to all Azure subscriptions and management groups in this tenant; then navigate to the Access control(IAM) blade of my-mg
for role assignment.