Open vivsri opened 2 days ago
Brunoga-MS
commented
2 days ago Hello @vivsri , thanks for your feedback. What you describe looks good to be done. We already have a similar ask (see #399 ) and we are working on it. My question is: other than Management MG do you see any other MG which would benefits from VM alerts assignment?
Thanks, Bruno.
vivsri
commented
2 days ago Hi @Brunoga-MS Thanks for the reply. As I was referring to the Identity Sub or the MG above it, where I have an Entra Connect VM running. So if i understand it right, we need a Managed Identity locally in the Sub for the alert rules to be created & it won't work at the Landing Zone MG level too as we are using the Identity which exists only in the Management Sub.
Brunoga-MS
commented
2 days ago You could also have a MI created in the management subscription but with permission assigned at the pseudoRootMG level like the deployment of AMBA does when not using your own MI. Hence, if using your own MI, no need to create more than one; just assign the necessary permission to the pseudoRootMG.
Thanks, Bruno.
vivsri
commented
2 days ago Thanks, exactly my point, when i run AMBA, i get a MI created by default in the MG Sub, with permissions as monitoring Reader at the pseudo Root or the IR(Intermediate Root), but the remediation fails for any VMs, that are not in the MG Sub. In order to make the remediation work i need to supply and MI residing in the sub locally.
Brunoga-MS
commented
2 days ago It shouldn't fail. We need to investigate more on this. I will get back to you as soon as possible
vivsri
commented
2 days ago Many thanks, that was my reason to ask why do I need to create an additional MI
Check for previous/existing GitHub issues
Issue Type?
Feature Request
Description
Hi Bruno, Just a quick question around the VM initiative, as it's presently located only at the landing zone scope. I tested it out by duplicating the assignment to the management sub & it works like a charm. On the other hand if i try the same trick to other subscription, the remediation fails as it complains the System Assigned ID has no permission over the managed identity, which lives in the management sub, which is not a problem if the vm belongs in a management sub, so i created another MI in the other sub where my vm lives now & the remediation works. Is this something okay to do, as I'm not sure about the policy definitions & logic, & can we pls have the initiative available at all possible levels including identity where im running an entra connect vm.