Share via

Unable to delete resources from Azure Resource Mover

Mod Administrator 0 Reputation points
2023-08-10T11:59:34.55+00:00

Hi,

I'm trying to delete resources from Azure Resource Mover but dur to the inexistance of the Tenant, there is an issue when I try to delete these resources :

"Error while assigning roles to the System Assigned Managed Identity. Retry by clicking on 'Repair'. 

The previously created System Assigned Managed Identity doesn't have enough permissions to access the resources in the subscription Abonnement Visual Studio Enterprise. Click on Repair to fix this issue."

Thanks for your support

Azure Resource Mover
Azure Resource Mover
An Azure service used for moving multiple resources between Azure regions.
236 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Monalla-MSFT 13,031 Reputation points
    2023-08-16T14:43:40.6833333+00:00

    @Mod Administrator - Welcome to Microsoft Q&A and thanks for reaching out to us.

    As you mentioned that the tenant does not exist, it is possible that the issue might be related to the fact that the Managed Identity is not able to authenticate to the subscription.

    You may need to create a new Managed Identity and assign the required permissions to it.

    Also, if you think its related to permissions issue, you can try to fix this issue by clicking on 'Repair'. This will retry the process of assigning roles to the Managed Identity. If the issue persists, you may need to check if the Managed Identity has the required permissions to access the resources in the subscription.

    Please follow this document for more details: https://learn.microsoft.com/en-us/azure/resource-mover/common-questions

    Hope this helps. and please feel free to reach out if you have any further questions.

    If the above response was helpful, please feel free to "Accept as Answer" and click "Yes" so it can be beneficial to the community.

  2. Mod Administrator 0 Reputation points
    2023-08-16T15:50:22.7833333+00:00

    Thanks for your replay. Unfortunatly the "Repair" button doesn't work.

    Can you please tell me hox to create a new Managed Identity and assign the required permissions to it?

    Thanks

    0 comments
  3. Phil Nachreiner-MSFT 1 Reputation point Microsoft Employee
    2024-06-10T12:46:00.4166667+00:00

    I ran into a similar issue where the "Repair" button didn't work and indicating that the:

    "The previously created System Assigned Managed Identity doesn't have enough permissions to access the resources in the subscription Abonnement Visual Studio Enterprise. Click on Repair to fix this issue."

    The System Assigned Managed Identity needs to have 2 roles assigned to it.

    1. Contributor
    2. User Access Administrator

    In my instance my System Assigned Managed Identity didn't have the "User Access Administrator" role assigned to it.

    To fix this first you need to verify you can assign both Roles.

    How to verify you can assign the 2 above roles (Contributor, User Access Administrator):

    1. Goto your subscription
    2. Click on Access Control (IAM)
    3. Click Add->"Add role assignment"
    4. In "Add role assignment" click on the "Privileged administrator roles"
    5. Verify you see: Contributor and "User Access Administrator" in there. If you do not you might have a Role Assignment Condition set on your account and you will need someone with the ability to remove the condition from your account in order for you to proceed.

    If you can assign both those roles, follow the steps here: https://learn.microsoft.com/en-us/azure/resource-mover/tutorial-move-region-powershell?tryIt=true&source=docs#grant-access-to-the-managed-identity to assign those roles to your System Assigned Managed Identity. Steps copied below for reference:

    1. Retrieve identity details from the MoveCollection object.
    $moveCollection = Get-AzResourceMoverMoveCollection -SubscriptionId $subscriptionId -ResourceGroupName "RG-MoveCollection-demoRMS" -Name "PS-centralus-westcentralus-demoRMS" 

$identityPrincipalId = $moveCollection.IdentityPrincipalId
    1. Assign the required roles to the identity so Azure Resource Mover can access your subscription to help move resources.
    New-AzRoleAssignment -ObjectId $identityPrincipalId -RoleDefinitionName Contributor -Scope "/subscriptions/$subscriptionId"

New-AzRoleAssignment -ObjectId $identityPrincipalId -RoleDefinitionName "User Access Administrator" -Scope "/subscriptions/$subscriptionId"

    Note: you need to replace the values -ResourceGroupName, -Name with appropriate values for your Azure resource and define a string $subscriptionId variable equal to your Azure SubscriptionId

    See this (https://learn.microsoft.com/en-us/azure/role-based-access-control/delegate-role-assignments-portal?tabs=template) article on Azure Resource Mover for more information on why the Azure Resource Mover needs the above roles.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.