Unable to update a vm using System assigned managed Identity with update-Azvm command

Bestha, Narendra 20 Reputation points
2024-03-20T06:41:59.7166667+00:00

Automation account System assigned managed Identity has Virtual machine contributor role and Managed identity operator role on resource group x.

It is failing to update a VM. ErrorCode: LinkedAuthorizationFailed ErrorMessage: The client 'xx-x' with object id 'xx-x' has permission to perform action 'Microsoft.Compute/virtualMachines/write' on scope '/subscriptions/xx-xx-zz/resourceGroups/x/providers/Microsoft.Compute/virtualMachines/xxzz'; however, it does not have permission to perform action(s) 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscriptions/xx-xx-zz/resourceGroups/Y/providers/Microsoft.ManagedIdentity/userAssignedIdentities/xx-wa' (respectively) or the linked scope(s) are invalid.

So System assigned managed Identity in order to update VM should it have Managed identity operator role on resource group Y as well? Why do we need Managed identity operator role to update a VM.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,149 questions
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
955 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,120 questions
0 comments
Accepted answer
  1. Anveshreddy Nimmala 2,460 Reputation points Microsoft Vendor
    2024-03-20T07:14:35.5333333+00:00

    Hello

    Welcome to microsoft Q&A, Thankyou for posting your query here.

    User-assigned managed identities are that which can be associated with Azure resources (like VMs) to allow them to authenticate and interact with other Azure services. Unlike system-assigned identities, which are directly tied to a single resource and managed by Azure. user-assigned identities can be shared across multiple resources. The action that's failing i.e, Microshe permissions for your automation account's managed identity are currently set at Resource Group. The user-assigned identity it's trying to manage is in other Resource Group. Azure RBAC (Role-Based Access Control) permissions are scoped, it means if you grant permissions at the resource group level, those permissions apply only to resources within that resource group. To manage a user-assigned identity in Resource Group, the managed identity needs the Managed Identity Operator role assigned at that resource group.

    please refer this documentation for information

    https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-managed-identities-work-vm

    Hope this helps you.

    If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

    0b4508e5-88d4-45d9-af45-6b9d1a7f7cd0

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest