Azure Lighthouse
An Azure service that provides secure managed services and access control for partners and customers.
92 questions
Lighthouse offer and Managed Identities permissions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 18%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
Alessandro Pecci
20
Reputation points
Hi,
I am trying to assign the Contributor role over a Lighthouse managed subscription to a System Managed Identity (an Automation account).
According to the documentation:
"The User Access Administrator role is supported, but only for the limited purpose of assigning roles to a managed identity in the customer tenant."
I have deployed Lighthouse using a template, and the UAA role definition looks like this:
{
"principalId": "11111111-2222-3333-4444-555555555555",
"roleDefinitionId": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"principalIdDisplayName": "<DISPLAYNAME>",
"delegatedRoleDefinitionIds": [
"b24988ac-6180-42a0-ab88-20f7382dd24c",
"f353d9bd-d4a6-484e-a77a-8050b599b867",
"91c1777a-f3dc-4fae-b103-61d183457e46"
]
}
Once deployed, the Role assignments looks like this:
Despite that, when I log in with that account and try to assign any role to a Managed Identity with
New-AzRoleAssignment -ObjectId "<MANAGED_IDENTITY_ID>" -RoleDefinitionId "b24988ac-6180-42a0-ab88-20f7382dd24c" -Scope "/subscriptions/<MANAGED_SUBSCRIPTION_ID>" -Debug
I get:
"The client '<DISPLAYNAME>' with object id '11111111-2222-3333-4444-555555555555' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/<MANAGED_SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleAssignments/aba84cfe-5664-4ec0-b4af-3dbfd4fc0403' or the scope is invalid. If access was recently granted, please refresh your credentials."
Any suggestion about what's wrong is hugely appreciated.
Azure Lighthouse
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 72%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENP%3C/text%3E%3C/svg%3E)
Naveena Patlolla 3,925 Reputation points Microsoft External Staff Moderator2025-04-08T13:08:37.7933333+00:00 There seems to be an issue with your authorization access. Please verify the User Access Administrator assigned to that principal ID at the subscription level.
Please refer to the below article
let us know if you have any further queries. I’m happy to assist you further.
-
Alessandro Pecci 20 Reputation points
2025-04-08T15:15:51.6766667+00:00 Hi, Get-AzRoleAssignment shows this for that principal ID
RoleAssignmentName : bbc1aa37-0459-4899-9730-e4382cb20098 RoleAssignmentId : /subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleAssignments/bbc1aa37-0459-4899-9730-e4382cb20098 Scope : /subscriptions/<SUBSCRIPTION_ID> DisplayName : <DISPLAY_NAME> SignInName : <SIGN_IN_NAME> RoleDefinitionName : User Access Administrator RoleDefinitionId : 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 ObjectId : ObjectType : User CanDelegate : False Description : ConditionVersion : 1.0 Condition : @Action[Id] StringNotEqualsAnyOfIgnoreCase {'Microsoft.Authorization/roleAssignments/write', 'Microsoft.Authorization/roleAssignments/delete'} || (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] StringEqualsAnyOfIgnoreCase { 'b24988ac-6180-42a0-ab88-20f7382dd24c','f353d9bd-d4a6-484e-a77a-8050b599b867','91c1777a-f3dc-4fae-b103-61d183457e46' } && EXISTS @Resource[Microsoft.Authorization/roleAssignments:DelegatedManagedIdentityResourceId] && @Resource[Microsoft.Authorization/roleAssignments:DelegatedManagedIdentityResourceId] StringNotEqualsIgnoreCase '')According to Copilot,
"In summary, the condition allows actions on role assignments only if they are not write or delete, or if the role assignment has a specific RoleDefinitionId and a non-empty DelegatedManagedIdentityResourceId."
If I get it right, that OR means that I should be able to grant those permissions.
Nonetheless, If I run New-AzRoleAssignment I still get the same result.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 20%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator2025-04-08T21:03:55.8533333+00:00 Hi Alessandro Pecci
As per error, it seems like principal does not haveMicrosoft.Authorization/roleAssignments/writepermissions at the target subscription scopeTo resolve this, you should assign the User Access Administrator role (or Owner role) to the principal at the subscription level where you are trying to assign the role to the managed identity
let us know if any help, we will always help as you needed.!
If the comment is helpful, please click "Upvote it".
-
Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator
2025-04-09T20:43:40.98+00:00 Hi Alessandro Pecci
If you had a chance to see my Answer to your question. If it was helpful, please click "Upvote" and ''accept answer'' on my post let us know Thank you...! -
Naveena Patlolla 3,925 Reputation points Microsoft External Staff Moderator
2025-04-11T08:45:26.1033333+00:00 If you had a chance to work on the above solution provided. If it was helpful, please click "Upvote" and ''accept answer'' on my post let us know Thank you...!
-
Alessandro Pecci 20 Reputation points
2025-04-11T09:35:16.2833333+00:00 @Pranay Reddy Madireddy I would do it, but the principal role that should get the UAA role is defined in the Lighthouse delegation. Another Owner/UAA in the managed tenant can't see the roles assignments (i.e. with Get-AzRoleAssignment -Scope "/subscriptions/<SUBSCRIPTION_ID>"), as far as I know it's only possible from the managing tenant. But the principal who can do it has, by Lighthouse design, only Contributor role in the managed tenant and - if it was working - User Access Administrator role ONLY to grant specific roles to managed identities.
-
Pranay Reddy Madireddy 6,180 Reputation points Microsoft External Staff Moderator
2025-04-11T21:14:35.8433333+00:00 You are correct—while the User Access Administrator (UAA) role can be assigned to a principal in the managing tenant, its capabilities are scoped and limited. Specifically, it allows that principal to assign certain built-in roles to managed identities in the customer (managed) tenant, but it does not grant full UAA privileges as would typically be available natively within the managed tenant.
Additionally, as noted, the principal in the managing tenant will usually have the Contributor role within the managed tenant. This role limits their visibility and ability to manage role assignments comprehensively. As a result:
Role assignments across tenants cannot be viewed or managed through the Azure portal.
These assignments must be made using Azure APIs, such as ARM templates or PowerShell/CLI commands.
Even users with Owner or UAA roles in the managed tenant may not see cross-tenant role assignments made by the managing tenant principal.
This behavior is by design, to maintain strict control boundaries between managing and managed tenants while still allowing for delegated management through Azure Lighthouse.
let us know if any help, we will always help as you needed.!
If the comment is helpful, please click "Upvote it".
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 31%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVP%3C/text%3E%3C/svg%3E)
Vinod Pittala 4,500 Reputation points Microsoft External Staff Moderator2025-04-14T06:04:41.3033333+00:00 Hello Alessandro Pecci,
I just wanted to check if the above provided solution worked for you or if you need any further assistance?
Please feel free to let us know, as we are always here to help whenever you need us.
Additionally, if you have a moment, please consider upvoting it if the information provided has been helpful. This can be beneficial to other community members and would be greatly appreciated.
Thank you.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 82%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Venkat V 2,545 Reputation points Microsoft External Staff Moderator2025-04-22T06:13:33.6466667+00:00 Hello Alessandro Pecci,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 87%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVB%3C/text%3E%3C/svg%3E)
Vinay B 500 Reputation points Microsoft External Staff Moderator2025-04-23T12:27:20.03+00:00 Hi Alessandro Pecci,
Just checking in, have you had a chance to resolve the issue? If so, feel free to share the solution for others. If not, let us know and we’ll be glad to assist further.
Sign in to comment
Sign in to answer