Failing stack deployment, pointing towards an internal Microsoft identity called `Azure Deployments` with permission issues

[erwinkramer]

Describe the bug Failing stack deployment, pointing towards an internal Microsoft identity called Azure Deployments with app id 3b990c8b-9607-4c2a-8b04-1d41985facca. This app is completely unknown to me, it's not my identity, not our tenant's. It's only as an Enterprise App in our environment, so it makes sense that we don't give it permissions.

To Reproduce Make this main.bicep:

import * as exemptionTypes from 'types/exemption.bicep'

targetScope = 'subscription'

param exemptions exemptionTypes.XPolicyExemption[] = [
  {
    description: 'test_erwin'
    displayName: 'test_erwin'
    exemptionCategory: 'Mitigated'
    expiresOn: ''
    metadata: null
    policyAssignmentId: 'ADD YOUR ASSIGNMENT ID'
    policyDefinitionReferenceIds: ['ADD YOUR REFERENCE ID']
    resourceName: 'test_erwin'
    resourceSelectors: null
    scopeResourceGroupName: 'REPLACE WITH RG NAME'
    scopeSubscriptionId: 'REPLACE WITH SUB ID'
    scopeType: 'resourceGroup'
  }
]

module exemptionModuleForResourceGroups 'modules/exemption-rg.bicep' = [
  for exemption in filter(exemptions, i => i.scopeType == 'resourceGroup'): {
    scope: resourceGroup(exemption.scopeSubscriptionId, exemption.scopeResourceGroupName)
    name: exemption.resourceName
    params: {
      exemption: exemption
    }
  }
]

Make the following modules/exemption-rg.bicep module:

import * as exemptionTypes from  '../types/exemption.bicep'

targetScope = 'resourceGroup'

param exemption exemptionTypes.XPolicyExemption

resource azurePolicyExemption 'Microsoft.Authorization/policyExemptions@2022-07-01-preview' = {
  name: exemption.resourceName
  scope: resourceGroup()
  properties: {
    policyAssignmentId: exemption.policyAssignmentId
    policyDefinitionReferenceIds: exemption.policyDefinitionReferenceIds
    exemptionCategory: exemption.exemptionCategory
    expiresOn: exemption.expiresOn
    displayName:exemption.displayName
    description: exemption.description
  }
}

and the type types/exemption.bicep:

type policyExemption = resource<'Microsoft.Authorization/policyExemptions@2022-07-01-preview'>.properties

@export()
@description('X Azure Policy Exemption')
type XPolicyExemption = {
  @description('Resource name, or object name of the exemption.')
  resourceName: string
  scopeType: 'subscription' | 'resourceGroup'
  scopeSubscriptionId: string
  @description('The resource group name, for instance `rg-test`.')
  scopeResourceGroupName: string
  description: policyExemption.description
  displayName: policyExemption.displayName
  exemptionCategory: policyExemption.exemptionCategory
  expiresOn: policyExemption.expiresOn
  metadata: string[]?
  policyAssignmentId: policyExemption.policyAssignmentId
  policyDefinitionReferenceIds: policyExemption.policyDefinitionReferenceIds
  resourceSelectors: policyExemption.resourceSelectors?
}

Deploy as a stack to failure:

  az stack sub create `
            --name "test-yourstack" `
            --location "westeurope" `
            --description "Deployed by test." `
            --template-file bicep\main.bicep `
            --deny-settings-mode "none" `
            --action-on-unmanage "deleteAll" `
            --yes

Throws (capital words are added to hide our IDs):

{
    "code": "DeploymentFailed",
    "target": "/subscriptions/SOME_ID/resourceGroups/test/providers/Microsoft.Resources/deployments/test",
    "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
    "details": [
        {
            "code": "LinkedAuthorizationFailed",
            "message": "The client 'ef592522-62d5-4b18-bc85-6d07805fd6f6' with object id 'ef592522-62d5-4b18-bc85-6d07805fd6f6' has permission to perform action 'Microsoft.Authorization/policyExemptions/write' on scope '/subscriptions/SUB_ID/resourcegroups/test/providers/Microsoft.Authorization/policyExemptions/test'; however, it does not have permission to perform action(s) 'Microsoft.Authorization/policyAssignments/exempt/action' on the linked scope(s) '/providers/Microsoft.Management/managementGroups/REMOVED_MG_ID/providers/Microsoft.Authorization/policyAssignments/SOME_ASSIGNMENT_NAME' (respectively) or the linked scope(s) are invalid."
        }
    ]
}

The following works with the same bicep, so nothing really wrong with the bicep itself:

 az deployment sub create `
            --name "test-erwin" `
            --location "westeurope" `
            --template-file bicep\main.bicep `

To be clear, im using az login and my own user-account with both the working and failing statement, so no service principal involved at our side.

Expected behavior The stack should not fail. It does create a stack now, but in a failed state for the Deployment resource.

Repro Environment azure-cli version: 2.63.0 Bicep CLI version 0.29.47

Server Debugging Information Correlation ID: c1676b37-4c47-4a9a-b0eb-8a879f1b0e98 Tenant ID: 9ecbd628-0072-405d-8567-32c6750b0d3e Timestamp of issue (please include time zone): 8/28/2024, 5:07:01 PM (CET) Data Center (eg, West Central US, West Europe): west europe

[dantedallag]

Thanks, @erwinkramer. We are looking into this.

[erwinkramer]

Thanks, @erwinkramer. We are looking into this.

I did some other test to confirm the deployment stack permission scope isn't limited to the subscription (which makes some sense if i interpret the docs). So, I did az stack mg create on the same management group that hosts the Azure Policies and assignments, so every resource the deployment stack proces has to reach is on the same level, or lower. But still, it gives the same permission error, with correlation id d506bf15-7dec-407a-97d2-1ad9787f9d87.

[Xynoclafe]

@erwinkramer The mg scoped stack deployment that you did, was there any deployment scope property set to it or was it deployed to the same mg scope as well?

[erwinkramer]

@Xynoclafe same scope, no explicit reference

[Xynoclafe]

A fix for this issue has been checked in and should be deployed and ready to use over the coming few weeks.