VM replication: Not sufficient permissions on Key Vault

Admin - Patricio Keilty 60 Reputation points
2024-06-24T20:30:06.9766667+00:00

Hi,

Trying to migrate on-premise VMware to Azure VMs using agentless approach; and having already setup the migration appliance and completed the discovery phase, when I try to replicate any VM in the discovered items list, I get the following error:

The user (NN) doesn't have sufficient permissions to perform role assignment on the Key Vault in the Resource Group (LCGroup). The user must be assigned one of the following three roles on the Azure Migrate project's Resource Group and the target Resource Group: an Owner, a Contributor and a User Access Administrator, or a custom role . If the user has been assigned a custom role, make sure the following missing permissions are included: Microsoft.Authorization/policyDefinitions/write

User NN does have the Contributor & Global Administrator roles for the whole org resources. Couldn't find the "User Access Admin" role, but tried the "Auth Admin" & "User Admin" roles just in case but no luck either.

Maybe I should try instead a custom role with such Microsoft.Authorization/policyDefinitions/write perm instead ?

Is there a way to check specific permissions on a particular resource, e.g. LCGroup/Key Vault?

Any suggestions, comments are welcome!, regards

--Patricio

Azure Migrate
Azure Migrate
A central hub of Azure cloud migration services and tools to discover, assess, and migrate workloads to the cloud.
813 questions
0 comments No comments
{count} votes

Accepted answer
  1. Ganeshkumar R 660 Reputation points
    2024-06-24T20:35:13.4866667+00:00

    It sounds like you're encountering a permissions issue when trying to migrate your on-premise VMware to Azure VMs using the agentless approach. The error message indicates that the user does not have sufficient permissions to perform role assignments on the Key Vault in the resource group.

    Steps to Resolve the Issue

    Step 1: Verify Required Roles and Permissions

    Ensure that the user has the necessary roles and permissions. The required roles are:

    1. Owner or Contributor and User Access Administrator on:
      • The Azure Migrate project's Resource Group
      • The target Resource Group

    The "User Access Administrator" role is necessary because it grants the ability to manage user access to Azure resources.

    Step 2: Assign the User Access Administrator Role

    1. Assign the User Access Administrator Role:
      • Go to the Azure Portal.
      • Navigate to the Resource Group where your Key Vault is located.
      • Select Access control (IAM).
      • Click on Add role assignment.
      • Search for User Access Administrator and select it.
      • Assign this role to the user in question.
    2. Verify the Role Assignment:
      • Ensure that the role assignment is propagated and that the user indeed has the necessary permissions.

    Step 3: Check and Assign Specific Permissions

    If the role assignment doesn't solve the issue, you can create a custom role with the specific permissions required.

    1. Create a Custom Role:
      • Go to the Azure Portal.
      • Navigate to Subscriptions.
      • Select your subscription and go to Access control (IAM).
      • Click on Add and then Add custom role.
      • Define a new custom role with the following permission:
        
             {
        
               "Name": "CustomRoleWithPolicyDefinitionsWrite",
        
               "IsCustom": true,
        
               "Description": "Custom role with Microsoft.Authorization/policyDefinitions/write permission",
        
               "Actions": [
        
                 "Microsoft.Authorization/policyDefinitions/write",
        
                 "Microsoft.KeyVault/vaults/*",
        
                 // Add other necessary permissions
        
               ],
        
               "NotActions": [],
        
               "AssignableScopes": [
        
                 "/subscriptions/{subscription-id}"
        
               ]
        
             }
        
        
      • Replace {subscription-id} with your actual subscription ID.
      • Save the custom role.
    2. Assign the Custom Role:
      • Navigate to the Resource Group where your Key Vault is located.
      • Select Access control (IAM).
      • Click on Add role assignment.
      • Search for the custom role you just created and assign it to the user.

    Step 4: Verify Permissions on Specific Resources

    To check specific permissions on a particular resource, such as the Key Vault:

    1. Azure Portal:
      • Navigate to the Resource Group.
      • Select the Key Vault.
      • Go to Access control (IAM).
      • Check the Role assignments to see if the user has the necessary roles.
    2. Azure CLI:
      • Use the Azure CLI to list role assignments:
        
             az role assignment list --assignee <user-principal-name-or-object-id> --scope <resource-scope>
        
        
      • Replace <user-principal-name-or-object-id> with the user's principal name or object ID, and <resource-scope> with the scope of the resource group or specific resource.

    Example Azure CLI Command

    To check role assignments on the Key Vault:

    
    az role assignment list --assignee user@example.com --scope /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{key-vault-name}
    
    

    Replace {subscription-id}, {resource-group-name}, and {key-vault-name} with your actual values.

    By following these steps, you should be able to resolve the permissions issue and proceed with the migration. If the problem persists, double-check the role assignments and permissions, or consider reaching out to Azure Support for further assistance.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Admin - Patricio Keilty 60 Reputation points
    2024-06-26T21:16:06.25+00:00

    Ganeshkumar,

    It was indeed a permissions issue as anticipated: step 2 did solved it!

    Thanks for helping out!

    --Patricio

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.