whether "authorization" parameter in the ARM template is necessary or not

[AmberYangY]

Hi all,

I tried to use the following template to assign authorizations to the roles. https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management-eligible-authorizations/rg/rg.parameters.json I do not want to have the permanent role assignments for any principle and I only want to assign the PIM for principles.

I tried to delete "authorization" parameters both in the ARM template and parameter file. I only kept and configured the "eligibleAuthorizations" part which set up the PIM values. I deployed this ARM template and the following error came out.

{ "code": "DeploymentFailed", "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.", "details": [ { "code": "InvalidTemplate", "message": "Unable to process template language expressions for resource '/subscriptions/xxxx/providers/Microsoft.ManagedServices/registrationDefinitions/xxxxx' at line '71' and column '9'. 'The template parameter 'authorizations' is not found. Please see https://aka.ms/arm-template/#parameters for usage details.'" } ] }

May I ask whether this "authorization" is required and the necessary reason? Is it possible to only use the PIM in this template?

Thanks in advance!