How to fix error on Azure Arc enabled server onboarding - The client 'XXX' with object id XXX does not have authorization to perform action 'Microsoft.HybridCompute/register/action' over scope '/subscriptions/YYYY'

MENON, MANUDEV 20 Reputation points
2024-03-06T05:12:49.9566667+00:00

Using Azure Arc enabled servers with service principal having roles: Azure Connected Machine Onboarding and

Azure Connected Machine Resource Administrator, I am onboarding a machine and gets a below error during onboarding script execution.

FATAL   RequestCorrelationId: XXXX Message: The client 'XXXXX' with object id 'XXXXX' does not have authorization to perform action 'Microsoft.HybridCompute/register/action' over scope '/subscriptions/XXXXXX' or the scope is invalid. If access was recently granted, please refresh your credentials. Code: AuthorizationFailed httpStatusCode:403

Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
452 questions
0 comments No comments
{count} votes

Accepted answer
  1. Oleksandr Romaniuk 480 Reputation points
    2024-03-07T21:22:56.01+00:00

    Hello!
    It is good that the Service principal has Azure Connected Machine Onboarding permission, but then the problem is in other Service principal settings. Check whether the Service principal has access to the subscription and the required Resource groups. Also, check if the Service principal has expired.

    More details in this article.


    If the above response was helpful, please feel free to "Accept as Answer" and click "Yes" so it can be beneficial to the community.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Sven Aelterman 16 Reputation points Microsoft Employee
    2024-04-02T21:58:15.9966667+00:00

    This permission refers to the permission required to register the Microsoft.HybridCompute resource provider on the subscription. This is a one-time operation (per subscription) before any Arc machines can be onboarded.

    While creating this custom role is a workaround, the usual pattern is that a privileged user will register the resource provider manually before attempting to onboard the first Arc machine.

    1 person found this answer helpful.

  2. Josh Weigner 1 Reputation point
    2024-03-08T16:38:21.9033333+00:00

    I was facing the same problem. I created the service principal using the Azure Arc blade but clearly that does not assign the correct permissions. I could not find the correct role assignment so I had to create a custom role, and then assign that to the service principal.

    {
        "properties": {
            "roleName": "Azure Arc Register ",
            "description": "Register Hybrid Compute Resources to Azure Arc",
            "assignableScopes": [
                "/subscriptions/{Subscription ID}"
            ],
            "permissions": [
                {
                    "actions": [
                        "Microsoft.HybridCompute/register/action"
                    ],
                    "notActions": [],
                    "dataActions": [],
                    "notDataActions": []
                }
            ]
        }
    }
    
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.