Invoke-GeneralDeployment.ps1:76

[FallenHoot]

When running Empty Subscription it fails 100% at this step.

Issue: Performing the operation "Creating Deployment" on target "WVDDEMO". New-AzResourceGroupDeployment: /home/vsts/work/1/s/SharedDeploymentFunctions/Invoke-GeneralDeployment.ps1:76 Line 76 | New-AzResourceGroupDeployment @DeploymentInputs -Resource Error: Code=InvalidTemplateDeployment; Message=The template deployment failed with error: 'Authorization failed for template resource 'profiles1005t101022z/default/wvdprofiles/Microsoft.Authorization/65d15962-70b1-5e79-9a0d-47e9cad494fa' of type 'Microsoft.Storage/storageAccounts/fileServices/fileshares/providers/roleAssignments'. The client 'SERVICEACCOUNT' with object id 'SERVICEACCOUNT' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/WVDSUBSCRIPTION/resourceGroups/WVDDEMO/providers/Microsoft.Storage/storageAccounts/profiles1005t101022z/fileServices/default/fileshares/wvdprofiles/providers/Microsoft.Authorization/roleAssignments/65d15962-70b1-5e79-9a0d-47e9cad494fa'.'. [error]PowerShell exited with code '1'. Script Execution Complete

Fix: Remove anything that has to do with New-AzManagementGroupDeployment or ManagementGroupID. It is not created and if it was created, it should have a parameter. As it will fail each time.

[justin-shiah]

@FallenHoot Thanks for listing the fix, I will file a bug for this. Was the fix able to resolve all the issues you were facing?

[stgeorgi]

I think this error happens only if you rerun the arm template but we do not clean up the existing service principal prior to redoployng. My test so far (6+) on empty subs have no such probem