Could not create role assignment to the managed identity of a Policy Initiative

[ptsouk]

When deploying a Policy Set definition referencing Policy definitions with the "DeployIfNotExists", I get the following:

##[debug]----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
Could not find role definition ids for adding role assignments to the managed identity. Definition Id : /providers/Microsoft.Management/managementGroups/ES/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit
----------------------------------------------------------------------------------------------------
##[debug]----------------------------------------------------------------------------------------------------
##[debug]No role assignments needs to be created
##[debug]----------------------------------------------------------------------------------------------------

It seems it is trying to find a "roleDefinitionIds": in the policySet Definition. The managed identity of the initiative's assignment gets created but without any role assignment. If I try to deploy an assignment of the referenced policy, the created managed identity for the policy assignment has the defined role assigned - as expected.

Can you please check ?

[sbugalski]

Show your roles definitions and assigmnet files. it will be easier :)

But there is a chance you have same issue as us (but we did not get the message).

[ptsouk]

The policies I try to deploy are grabbed from the enterprise scale deployment. Here is the Policy Initiative: Enforce-EncryptTransit and here the mentioned policy referenced in the policy set: Deploy-Storage-sslEnforcement

[ptsouk]

The action processes the assignment of the policy and creates the managed identity with the role assigned.

If I do the same with the policy set assignment, the managed identity gets created but without any role assigned.

[ptsouk]

Do you have any update on this? Do you require more info? Thanks!

[sbugalski]

Hi, policy assignment is not done when deployment scope is Management Group (even when Service Principal has Owner role at Root MG scope).

[tauhid621]

@ptsouk For now Policy Remediation is only supported for policy definition. Support for policy set definition has not been added yet. Will add this to our backlog.

[sbugalski]

@tauhid621 - i think you confused threads

[sbugalski]

I confirm the action still does not assign permissions to Management Group scope. Managed Identity exists in AAD, but role assignments is not done.

[github-actions[bot]]

This issue is idle because it has been open for 14 days with no activity.

[ptsouk]

@tauhid621 Thank you for your response. Do you have any ETA? Up until now, I wasn't able to re-check.

[github-actions[bot]]

This issue is idle because it has been open for 14 days with no activity.

[PleaseStopAsking]

Any update on this issue? Still seems to be an issue when deploying initiatives with a MSI. The workaround at this time is to manually go into the Azure portal, open the Initiative definition where you will be prompted to fix the assignment of the MSI manually.