I think you need to be a Managed Identity Operator instead.
Azure Ligthouse User Access Admin group not working
In Azure AD I am assigned to an Azure Lighthouse group that is supposed to give me the 'User Access Administrator' role to all subscriptions from another tenant that is enrolled in Lighthouse. When I view my access on the subscriptions, I can see that my user has the 'User Access Administrator' role assigned.
I am trying to assign the reader role to a managed identity (MI) within the other tenant's subscription, but I get this error message: "Failed to add <MI name> as Reader for <subscription name>: The client <client> with object id <object id> does not have authorization or an ABAC condition not fulfilled to perform action 'Microsoft.Authorization/roleAssignments' over scope <subscription scope> or the scope is invalid. If access was recently granted, please refresh your credentials.."
I have tried to do it with Azure CLI and Azure PS as well, but I get the same error message.
This is the condition that is set on the role assignment of the Azure AD group:
@Action[Id] StringNotEqualsAnyOfIgnoreCase {'Microsoft.Authorization/roleAssignments/write', 'Microsoft.Authorization/roleAssignments/delete'} || (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] StringEqualsAnyOfIgnoreCase { 'b24988ac-6180-42a0-ab88-20f7382dd24c','acdd72a7-3385-48ef-bd42-f606fba81ae7' } && EXISTS @Resource[Microsoft.Authorization/roleAssignments:DelegatedManagedIdentityResourceId] && @Resource[Microsoft.Authorization/roleAssignments:DelegatedManagedIdentityResourceId] StringNotEqualsIgnoreCase '')
Do I get the error because of this condition? Or is there something else that I don't know about?
Thanks
3 answers
Sort by: Most helpful
-
Andrew Blumhardt 9,866 Reputation points Microsoft Employee
2023-05-16T20:36:08.5733333+00:00 -
Sandeep G-MSFT 19,761 Reputation points Microsoft Employee
2023-05-19T06:58:52.9066667+00:00 As per prerequisites for assigning a role to managed Identity, you just need below permission,
-
Microsoft.Authorization/roleAssignments/write
permissions, such as User Access Administrator or Owner
however, as per your description you already have this permission set on your account.
You can confirm once again and check if your account has above permission listed in roles.
You can use below command to confirm the same,
Get-AzRoleAssignment -SignInName john.doe@contoso.com
Above command will get all role assignments made to user john.doe@contoso.com, and the groups of which he is member.
Let me know if above solution helps you.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
-
-
Luciano Pereira 0 Reputation points
2023-06-13T17:55:20.41+00:00 I'm having the exact same issue. And I'm also wondering if the condition created in the User Access Administrator role assignment is correct, since it shows an error in the Azure Portal.
In case the condition's syntax is not correct. Then it seems like there is a bug when creating a Lighthouse offer with User Access Administrator role assignment that includes delegated role definitions
@ObnoxiousRicotta Did you have any luck solving this issue?