search

Azure / azure-rest-api-specs

The source for REST API specifications for Microsoft Azure.
MIT License
2.69k stars 5.11k forks source link

[Network 2023-04-01] Network Manager issue when specifying a Management Group ID #25774

Open mbfrahry opened 1 year ago

mbfrahry commented 1 year ago

I'm seeing an issue when trying to create a Network Manager scoped to a nested Management Group.

I'm passing in 

{
    "location": "eastus",
    "name": "test",
    "properties": {
        "description": "network manager created through terraform",
        "networkManagerScopeAccesses": ["Connectivity"],
        "networkManagerScopes": {
            "managementGroups": ["/providers/Microsoft.Management/managementGroups/XXX-XXX-XXX-XXXX"],
            "subscriptions": []
        }
    },
    "tags": {}
}

and getting back the following error

{
    "error": {
        "message": "Resource [/providers/Microsoft.Management/managementGroups/XXXX-XXXX-XXXX] is not within tenant [tenant-id]",
        "code": "BadRequest"
    }
}

That Management Group is under the specified tenant and if I go to the portal to create a Network Manager, that management group id is selectable and the network manager creates without issue.

After I do that initial creation in the portal, I am now free to create Network Managers with the specified management group.

Is there a way for the management group to be used as the network manager scope without having to first create the network manager with that scope through the portal?

jago2136 commented 1 year ago

Hi Matthew,

In order to use a management group within a network manager scope, you must first register it with the Microsoft.Network resource provider namespace. More details here https://learn.microsoft.com/en-us/rest/api/resources/providers/register-at-management-group-scope.

In Azure Portal we are able to perform this registration behind the scenes when you create your network manager. But if you register manually, your above request should be able to succeed.

I can open a repair item for the AvNM service to return a more informative error message (suggest the customer register the scope, rather than this false assumption that the scope is not within the tenant); other than that this is by design.

mbfrahry commented 1 year ago

Ohhh good to know @jago2136!

Changing that error message to be more informative would be appreciated!