[Enable Azure Monitor for VMs & VMss] Role assignment when using your own User Assigned Identity located in the caf "management" Management Group

[JamesDLD]

Describe the bug The initiative policy "Enable Azure Monitor for Virtual Machine Scale Sets" should assign the needed role to the shared managed identity when the managed identity is in another subscription or management group than the role assignment scope.

• Indeed its a common use case of the CAF that permits to create a shared managed identity located in the "management" Management Group.
• The issue is that if you assign those policies in your "landing-zone" then the policy roles are not applied because the managed identity is in a different scope.
• When we assign the role manually the EPAC removes it because its not in its definition.

To Reproduce We can use a share managed identity through the following parameters of the sub policy "[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets"

• bringYourOwnUserAssignedManagedIdentity: true
• restrictBringYourOwnUserAssignedIdentityToSubscription: false
• userAssignedIdentityResourceId:

Expected behavior Assign the share managed identity to VM and VMss.

Screenshots

EPAC Version 10.4.2 10.5.0

[anwather]

Apologies for the delay - but EPAC doesn't manage permission assignments for user assigned managed identities. In fact looking at the ARM based deployment for ALZ they don't assign permissions for the UAMI in there either.