search

Azure / enterprise-azure-policy-as-code

Enterprise-ready Azure Policy-as-Code (PaC) solution (includes Az DevOps pipeline)
https://azure.github.io/enterprise-azure-policy-as-code/
MIT License
410 stars 216 forks source link

EPAC service principal does not have authorization to perform action 'Microsoft.Management/register/action' over scopes #643

Closed johnpetersjr closed 3 months ago

johnpetersjr commented 3 months ago

We recently updated our EPAC code to the latest version 10.2.11 from our old version in use since last year, and we now are getting this error:

Get-AzManagementGroup: /home/vsts/work/1/s/Scripts/Helpers/Build-ScopeTableForDeploymentRootScope.ps1:106

The client '<<snip>>' with object id
'<<snip>>' does not have authorization to
perform action 'Microsoft.Management/register/action' over scope '<<snip>>'

It would seem some additional access is now required for the EPAC scripts to properly register some sort of component as part of the Build-ScopeTableForDeploymentRootScope.ps1 script?

The ADO Service connection we use has 'Resource Policy Contributor' access over the root management group where we apply EPAC. Can someone point me to what new/other built-in Azure Role we need to assign to this service principal, please? My search skills have failed me...

EPAC Version 10.2.11

anwather commented 3 months ago

There is a custom role you can use for this https://azure.github.io/enterprise-azure-policy-as-code/ci-cd-app-registrations/#custom-epac-resource-policy-reader-role - there were some recent changes which required a change in the role.

johnpetersjr commented 3 months ago

Perfect, thank you! I will try it out and report back!

johnpetersjr commented 3 months ago

working like a champ! Thank you so much for the directions to the custom policy!