inherited ownership of azure subscription from parent management group is not recognized

[daryltanwk]

Bug Report

Reported Behavior

When attempting to run rover plan for launchpad subscription, an error is displayed:

No launchpad found. Deploying from scratch the launchpad @calling initialize_state Checking required permissions @checking if current user (object_id: ) is Owner of the subscription - only for launchpad WARNING: The underlying Active Directory Graph API will be replaced by Microsoft Graph API in a future version of Azure CLI. Please carefully review all breaking changes introduced during this migration: https://docs.microsoft.com/cli/azure/microsoft-graph-migration Error on or near line 309: the current account must have Owner privilege on the subscription to deploy launchpad.; exiting with status 2

Expected Behavior

rover command should successfully execute

Reproduction

Steps to reproduce or witness the behavior:

1. Create Management Group, set ownership to User
2. Place a subscription inside the MG.
3. Attempt deployment of launchpad via rover
4. See error
5. Explicitly set User as the Owner of the subscription object
6. Attempt deployment with no other changes
7. Command executes successfully

Suggestions

Do you have any suggestions how to address this bug?

Modify permission validation checks from rover to also allow inherited ownership from parent management groups

[LaurentLesle]

The api we are using is not giving the effective permission to the subscription when it's been assigned to the management group.

From now I suggest you add the following tag in your rover command to skip the verification step

--skip-permission-check

[LaurentLesle]

closing as answer provided

[macroramesh6]

Given that --skip-permission-check is currently only checked as a launchpad, doesn't it make sense to have this check by default in shell scripts as well?