Fixes #496, I'm fairly sure I caught all references.
Updated documentation
Updated images
Updated New-AzPolicyReaderRole script
The sc-pac-plan App Registration (Via) does not receive the Microsoft.Authorization/roleAssignments/read role when given the custom EPAC Resource Policy Reader Role (Via), which is required to list role assignments on management groups. This causes the Plan stage to fail enumerating role assignments, leading to a warning during Plan, and always requiring the Deploy Roles stage to run when using a more advanced pipeline.
Fixes #496, I'm fairly sure I caught all references.
The
sc-pac-plan
App Registration (Via) does not receive theMicrosoft.Authorization/roleAssignments/read
role when given the custom EPAC Resource Policy Reader Role (Via), which is required to list role assignments on management groups. This causes the Plan stage to fail enumerating role assignments, leading to a warning during Plan, and always requiring the Deploy Roles stage to run when using a more advanced pipeline.This role is defined in documentation in,
https://azure.github.io/enterprise-azure-policy-as-code/ci-cd-app-registrations/#custom-epac-resource-policy-reader-role https://azure.github.io/enterprise-azure-policy-as-code/create-policy-reader-role/