Azure Lighthouse
An Azure service that provides secure managed services and access control for partners and customers.
66 questions
I think you need to be a Managed Identity Operator instead.
Azure Ligthouse User Access Admin group not working
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 52%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EO%3C/text%3E%3C/svg%3E)
ObnoxiousRicotta
5
Reputation points
In Azure AD I am assigned to an Azure Lighthouse group that is supposed to give me the 'User Access Administrator' role to all subscriptions from another tenant that is enrolled in Lighthouse. When I view my access on the subscriptions, I can see that my user has the 'User Access Administrator' role assigned.
I am trying to assign the reader role to a managed identity (MI) within the other tenant's subscription, but I get this error message: "Failed to add <MI name> as Reader for <subscription name>: The client <client> with object id <object id> does not have authorization or an ABAC condition not fulfilled to perform action 'Microsoft.Authorization/roleAssignments' over scope <subscription scope> or the scope is invalid. If access was recently granted, please refresh your credentials.."
I have tried to do it with Azure CLI and Azure PS as well, but I get the same error message.
This is the condition that is set on the role assignment of the Azure AD group:
@Action[Id] StringNotEqualsAnyOfIgnoreCase {'Microsoft.Authorization/roleAssignments/write', 'Microsoft.Authorization/roleAssignments/delete'} || (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] StringEqualsAnyOfIgnoreCase { 'b24988ac-6180-42a0-ab88-20f7382dd24c','acdd72a7-3385-48ef-bd42-f606fba81ae7' } && EXISTS @Resource[Microsoft.Authorization/roleAssignments:DelegatedManagedIdentityResourceId] && @Resource[Microsoft.Authorization/roleAssignments:DelegatedManagedIdentityResourceId] StringNotEqualsIgnoreCase '')
Do I get the error because of this condition? Or is there something else that I don't know about?
Thanks
{count} votes
-
JamesTran-MSFT 36,371 Reputation points Microsoft Employee2023-05-19T17:37:25.89+00:00 I wanted to check in and see if you had any other questions or if the answers below helped to resolve your issue? I also noticed that your recent experience was not helpful, and to better improve our processes and learn from our customers, I'm eager to know what could have been done better.
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Sign in to comment
3 answers
Sort by: Most helpful
-
Andrew Blumhardt 9,496 Reputation points Microsoft Employee2023-05-16T20:36:08.5733333+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Sandeep G-MSFT 14,491 Reputation points Microsoft Employee2023-05-19T06:58:52.9066667+00:00 As per prerequisites for assigning a role to managed Identity, you just need below permission,
-
Microsoft.Authorization/roleAssignments/writepermissions, such as User Access Administrator or Owner
however, as per your description you already have this permission set on your account.
You can confirm once again and check if your account has above permission listed in roles.
You can use below command to confirm the same,
Get-AzRoleAssignment -SignInName john.doe@contoso.com
Above command will get all role assignments made to user john.doe@contoso.com, and the groups of which he is member.
Let me know if above solution helps you.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
-
JamesTran-MSFT 36,371 Reputation points Microsoft Employee
2023-05-22T17:27:23.5766667+00:00 I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 19%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELP%3C/text%3E%3C/svg%3E)
Luciano Pereira 0 Reputation points2023-06-13T17:55:20.41+00:00 I'm having the exact same issue. And I'm also wondering if the condition created in the User Access Administrator role assignment is correct, since it shows an error in the Azure Portal.
In case the condition's syntax is not correct. Then it seems like there is a bug when creating a Lighthouse offer with User Access Administrator role assignment that includes delegated role definitions
@ObnoxiousRicotta Did you have any luck solving this issue?
-
ObnoxiousRicotta 5 Reputation points
2023-06-13T19:02:44.99+00:00 No luck here. What I did was leverage the admin privileges through Microsoft Partner Center where possible and assigned roles that way.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 70%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
McHu 0 Reputation points2023-07-31T04:52:34.1466667+00:00 i have this exact issue also, everything looks ok until you try to use the permission or check the condition syntax. deploying lighthouse delegations via bicep/ARM templates using the latest API (older APIs have the same result)
-
McHu 0 Reputation points
2023-08-01T00:30:50.7966667+00:00 TT
The documentation doesn't really make it obvious that it's only available to these storage roles. sort of just that there are limits to the storage roles. anyway, feels like it's unsupported for User Access Administrator even though the API messaging tells you this ABAC condition needs to be configured.
'18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' // User Access Administrator
-
McHu 0 Reputation points
2023-08-09T01:03:53.0166667+00:00 i reformatted the condition in the code editor so it no longer has any validation errors.
for eg.
( ( !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'}) ) AND ( @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ab8e14d6-4a74-4a29-9ba8-549422addade', 'b24988ac-6180-42a0-ab88-20f7382dd24c', '92aaf0da-9dab-42b6-94a3-d43ce8d16293'} AND ( EXISTS @Resource[Microsoft.Authorization/roleAssignments:DelegatedManagedIdentityResourceId] ) AND ( @Resource[Microsoft.Authorization/roleAssignments:DelegatedManagedIdentityResourceId] StringNotEqualsIgnoreCase '') ) )
Sign in to comment -