neilpeterson
commented
5 years ago Fixed in https://github.com/neilpeterson/azure-blueprints-pipeline-tasks/commit/c7e5c3cd1a110258f1010048ef3244395672cab2 by using the Az.Blueprints PowerShell module.
Closed ajf214 closed 5 years ago
neilpeterson
commented
5 years ago Fixed in https://github.com/neilpeterson/azure-blueprints-pipeline-tasks/commit/c7e5c3cd1a110258f1010048ef3244395672cab2 by using the Az.Blueprints PowerShell module.
I forgot that when we go through the API we need to give the Blueprint 1st party app (which is an SPN in all tenants) owner permissions on the subscription. This is specifically for the system-assigned managed identity path. We use the first party app to create the system-assigned identity with owner permissions. When an assignment completes, we remove the 1st party app from the subscription so we don’t have standing access.
Here is some more info: https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-rest-api#assign-a-blueprint