help needed for AzureResourceGroupDeployment validation failing with Forbidden error

[haowenfeng123]

New issue checklist

• [ ] I searched for existing GitHub issues
• [ ] I read pipeline troubleshooting guide
• [ ] I checked how to collect logs

Task name

No response

Task version

No response

Issue Description

We used AzureResourceGroupDeployment@2 in our AzureRM validation task and got forbidden errors. We grant the identity as contributor before, the pipeline can work successfully. But now the contributor role cannot be granted to our managed identity since some security issues. What role or permission should we grant to the managed identity?

Environment type (Please select at least one enviroment where you face this issue)

• [ ] Self-Hosted
• [X] Microsoft Hosted
• [ ] VMSS Pool
• [ ] Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

Windows11

Relevant log output

Checking if the following resource group exists: RG_Lore_prod_WestUS2.
Resource group exists: true.
Creating deployment parameters.
The detected encoding for file 'D:\a\_work\1\s\azure\arm-base.template.json' is 'utf-8'
The detected encoding for file 'D:\a\_work\1\s\azure\arm-base.parameters-prod.json' is 'utf-8'
Starting template validation.
Deployment name is arm-base-20240604-053421-a411
(node:7716) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
##[error]Check out the troubleshooting guide to see if your issue is addressed: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment?view=azure-devops#troubleshooting
##[error]Template validation failed. Error: "Multiple error occurred: Forbidden,Forbidden,Forbidden,Forbidden,Forbidden. Please see details.".
Finishing: Validate ARM Template

Full task logs with system.debug enabled

 [REPLACE THIS WITH YOUR INFORMATION] 

Repro steps

No response

[v-schhabra]

@haowenfeng123 Could you please share the complete debug logs of the pipeline by adding variable system.debug to "true"?