Unable to Import Blueprint using PowerShell

Parmar, Piyush 0 Reputation points
2021-12-29T11:51:03.493+00:00

I have created a Blueprint, myblueprint1, in tenant1. The scope of Blueprint is at subscription level. BluePrint contains custom policies as Artifacts. I am able to successfully import the BluePrint using PowerShell with identity of global administrator of Tentant1.
Further I have provided external guest identity, myguest2, the roles of BluePrint operator and security admin on subscription1 in Tenant1.
myguest2 account is assigned global administrator role in Tentant2.
When logged into azure portal using myguest2 account, I am able to view the Blueprints successfully. Also able to view the contents of subscription1 using PowerShell. However, when I try to Import myblueprint1, in Tenant2 -> subscription 2 it fails with error

Import-AzBlueprintWithArtifact : The client has permission to perform action 'Microsoft.Authorization/policySetDefinitions/read' on scope '/subscriptions/Guid-Subscription2', however the current tenant
'Guid - Tenant2' is not authorized to access linked subscription 'Guid-Tenant1'.
At line:1 char:1

  • Import-AzBlueprintWithArtifact -Name MyTagsBlueprint -InputPath .\MyT ...
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : CloseError: (:) [Import-AzBlueprintWithArtifact], CloudException
  • FullyQualifiedErrorId : Microsoft.Azure.Commands.Blueprint.Cmdlets.ImportAzureRmBlueprint

How can I authorize Tentant2 to access the resources (BluePrints) in Tenant1

Azure Blueprints
Azure Blueprints
An Azure service that provides templates for quick, repeatable creation of fully governed cloud subscriptions.
70 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
790 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Monalla-MSFT 11,551 Reputation points
    2022-01-19T21:38:21.23+00:00

    Hello anonymous user - Thanks for reaching out

    We haven't received any email from you and hoping that the issue is resolved.

    Once you have either an exported blueprint definition or have a manually created blueprint definition in the required folder structure, you can import that blueprint definition to a different management group or subscription.

    For examples of built-in blueprint definitions, see the Azure Blueprints GitHub repo.

    • Name [required]
    • Specifies the name for the new blueprint definition
    • InputPath [required]
    • Specifies the path to create the blueprint definition from
    • Must match the required folder structure
    • ManagementGroupId (optional)
    • The management group ID to save the blueprint definition to if not the current context default
    • Either ManagementGroupId or SubscriptionId must be specified
    • SubscriptionId (optional)
    • The subscription ID to save the blueprint definition to if not the current context default
    • Either ManagementGroupId or SubscriptionId must be specified

    Use the Import-AzBlueprintWithArtifact cmdlet to import the specified blueprint definition:

    Login first with Connect-AzAccount if not using Cloud Shell

    Import-AzBlueprintWithArtifact -Name 'MyBlueprint' -ManagementGroupId 'DevMG' -InputPath 'C:\Blueprints\MyBlueprint'

    Once the blueprint definition is imported, assign it with PowerShell.

    Hope that helps.

    --------------------------------------------------------------------------------------

    If the above response is helpful, please feel free to "Accept as Answer" so it can be beneficial to the community.

    0 comments