How to fix error on Azure Arc enabled server onboarding - The client 'XXX' with object id XXX does not have authorization to perform action 'Microsoft.HybridCompute/register/action' over scope '/subscriptions/YYYY'

MENON, MANUDEV 20 Reputation points
2024-03-06T05:12:49.9566667+00:00

Using Azure Arc enabled servers with service principal having roles: Azure Connected Machine Onboarding and

Azure Connected Machine Resource Administrator, I am onboarding a machine and gets a below error during onboarding script execution.

FATAL   RequestCorrelationId: XXXX Message: The client 'XXXXX' with object id 'XXXXX' does not have authorization to perform action 'Microsoft.HybridCompute/register/action' over scope '/subscriptions/XXXXXX' or the scope is invalid. If access was recently granted, please refresh your credentials. Code: AuthorizationFailed httpStatusCode:403

Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
322 questions
0 comments
Accepted answer
  1. Oleksandr Romaniuk 465 Reputation points
    2024-03-07T21:22:56.01+00:00

    Hello!
    It is good that the Service principal has Azure Connected Machine Onboarding permission, but then the problem is in other Service principal settings. Check whether the Service principal has access to the subscription and the required Resource groups. Also, check if the Service principal has expired.

    More details in this article.

    If the above response was helpful, please feel free to "Accept as Answer" and click "Yes" so it can be beneficial to the community.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Josh Weigner 1 Reputation point
    2024-03-08T16:38:21.9033333+00:00

    I was facing the same problem. I created the service principal using the Azure Arc blade but clearly that does not assign the correct permissions. I could not find the correct role assignment so I had to create a custom role, and then assign that to the service principal.

    {
    "properties": {
        "roleName": "Azure Arc Register ",
        "description": "Register Hybrid Compute Resources to Azure Arc",
        "assignableScopes": [
            "/subscriptions/{Subscription ID}"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.HybridCompute/register/action"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
    0 comments
  2. Sven Aelterman 11 Reputation points Microsoft Employee
    2024-04-02T21:58:15.9966667+00:00

    This permission refers to the permission required to register the Microsoft.HybridCompute resource provider on the subscription. This is a one-time operation (per subscription) before any Arc machines can be onboarded.

    While creating this custom role is a workaround, the usual pattern is that a privileged user will register the resource provider manually before attempting to onboard the first Arc machine.

    0 comments