Related commandaz role assignment create --assignee-object-id xxx-xxx-xxx-xxx-xxx --role 'Microsoft Sentinel Responder' --scope '/subscriptions/foobar/resourceGroups/foo-rg/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(foo-workspace)'
Describe the bug
To give access to only a Sentinel Workspace it is required to assign Microsoft Sentinel Responder to not only the Log Analytics Workspace but also to the Solutions resource id for the related Sentinel instance. The az role assignment create command used on powershell has some validation / escaping issues.
The ErrorERROR: The Resource 'Microsoft.OperationsManagement/solutions/SecurityInsights(foo-workspace' under resource group 'foo-rg' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix
Notice how the last closing bracket is omitted from the error. Wrapping the scope in double or single quotes could not fix this. However, using bash did fix the issue. Please correct me if it is user error and there is some escaping required I did not know about.
To Reproduce
Have a pre existing workspace / sentinel
I used a Group as assignee object ID
I have IAM restricted to pipeline with service principal only so I used Azure CLI devops Tasl
Task : Azure CLI
Description : Run Azure CLI commands against an Azure subscription in a PowerShell Core/Shell script when running on Linux agent or PowerShell/PowerShell Core/Batch script when running on Windows agent.
Version : 2.208.0
Using PS only this occurs, does not occur with Bash.
Taken from within Azure CLI Task:
"C:\Program Files\PowerShell\7\pwsh.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'D:\a\_temp\azureclitaskscript123.ps1'"
az role assignment create --assignee-object-id xxx-xxx-xxx-xxx-xxx --role 'Microsoft Sentinel Responder' --scope '/subscriptions/foobar/resourceGroups/foo-rg/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(foo-workspace)'
yonzhan
commented
2 years ago
Related command
az role assignment create --assignee-object-id xxx-xxx-xxx-xxx-xxx --role 'Microsoft Sentinel Responder' --scope '/subscriptions/foobar/resourceGroups/foo-rg/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(foo-workspace)'Describe the bug
To give access to only a Sentinel Workspace it is required to assign Microsoft Sentinel Responder to not only the Log Analytics Workspace but also to the Solutions resource id for the related Sentinel instance. The az role assignment create command used on powershell has some validation / escaping issues.
The Error
ERROR: The Resource 'Microsoft.OperationsManagement/solutions/SecurityInsights(foo-workspace' under resource group 'foo-rg' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFixNotice how the last closing bracket is omitted from the error. Wrapping the scope in double or single quotes could not fix this. However, using bash did fix the issue. Please correct me if it is user error and there is some escaping required I did not know about.
To Reproduce Have a pre existing workspace / sentinel I used a Group as assignee object ID
I have IAM restricted to pipeline with service principal only so I used Azure CLI devops Tasl
Using PS only this occurs, does not occur with Bash. Taken from within Azure CLI Task:
"C:\Program Files\PowerShell\7\pwsh.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'D:\a\_temp\azureclitaskscript123.ps1'"az role assignment create --assignee-object-id xxx-xxx-xxx-xxx-xxx --role 'Microsoft Sentinel Responder' --scope '/subscriptions/foobar/resourceGroups/foo-rg/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(foo-workspace)'Expected behavior role assignment created
Environment summary
Additional context