Azure Lighthouse
An Azure service that provides secure managed services and access control for partners and customers.
68 questions
Connect hybrid machines to Azure Arc using a Service Principal delegated with Lighthouse
Nathanael Santschi
131
Reputation points
Documentation
I've used this documentation to connect a hybrid machine to Azure: https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-service-principal
Creating Service Principal
I've created a service principal in our Service Provider Tenant and deployed the "Azure Connected Machine Onboarding" built in Role for this service principal using Lighthouse to a customer subscription.
So the Service Provider has the "Azure Connected Machine Onboarding" Role on the specific subscription on the customer tenant.
Should it not be poosible to connect a hybrid machine to azure Arc with this service principal which has delegated permission using Azure Lighthouse? Instead of creating a service principal directly in the customer tenant?
I've tried it and it is creating the Azure arc resource but can't connect to it and i've got some errors conerning the application id of the service prinicpal.
Install Agent and Connect Script
I've used the script with the parameters as described:
#Download the package
function download() {$ProgressPreference="SilentlyContinue"; Invoke-WebRequest -Uri https://aka.ms/AzureConnectedMachineAgent -OutFile AzureConnectedMachineAgent.msi}
download
#Install the package
msiexec /i AzureConnectedMachineAgent.msi /l*v installationlog.txt /qn | Out-String
#Run connect command
& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect `
--service-principal-id "the ID of the service principal which I've created in our service provider tenant `
--service-principal-secret "secret `
--resource-group "the specific resource group on the customer tenant" `
--tenant-id "First I've used here the customer tenant ID but this seems to be wrong because the service principal is in our tenant, and i've also got an error on this. so i've changed that to our service provider tenant" `
--location "specific location" `
--subscription-id "subscriptionid of the customer tenant"
Errors:
- The first error which I got when I've used the tenant-id of the customer -> yep wrong tenant:
time="2021-02-19T12:35:04Z" level=error msg="Failed to acquire authorization token from SPN" Applic
ation Id=Error="adal: Refresh request failed. Status Code = '4
00'. Response body: {\"error\":\"unauthorized_client\",\"error_description\":\"AADSTS700016: Applic
ation with identifier 'SP ID' was not found in the directory 'CUSTOMER TENANT ID'. This can happen if the application has not been installed by the a
dministrator of the tenant or consented to by any user in the tenant. You may have sent your authen
tication request to the wrong tenanT
- The error which I've got when I've used the tenant-id of us (service provider - where the service principal is)
time="2021-02-19T12:43:12Z" level=error msg="Onboarding failed with response status: Request error:
Error occurred during heart beat, Details: adal: Refresh request failed. Status Code = '400'. Resp
onse body: {\"error\":\"unauthorized_client\",\"error_description\":\"AADSTS700016: Application wit
h identifier 'APPID' was not found in the directory 'IDXXXXXXXXXXXX'. This can happen if the application has not been installed by the administra
tor of the tenant or consented to by any user in the tenant. You may have sent your authentication
request to the wrong tenant.\r\nTrace ID: c809f586-b27e-4176-bf80-321edc293100\r\nCorrelation I
D: 6c7c669c-0151-41fb-bb7e-1ff04858e7c6\r\nTimestamp: 2021-02-19 12:43:02Z\",\"error_codes\":[700
016],\"timestamp\":\"2021-02-19 12:43:02Z\",\"trace_id\":\"c809f586-b27e-4176-bf80-321edc293100\",\
"correlation_id\":\"6c7c669c-0151-41fb-bb7e-1ff04858e7c6\",\"error_uri\":\"https://login.windows.ne
t/error?code=700016\"}" Error="Error response from agent"
time="2021-02-19T12:43:12Z" level=error msg="Created Arc resource nasaarctest21 but couldn't connec
t it. You may delete the ARM resource and run azcmagent connect again to onboard." Error="<nil>"
time="2021-02-19T12:43:12Z" level=fatal msg="Error response from agent"
Note
It works fine when I create the service principal directly in the customer tenant but because we wanna use Lighthouse as far as possible, I was wondering if this scenario shouldn't work as well?
{count} votes
-
tbgangav-MSFT 10,386 Reputation points2021-02-25T10:42:33.72+00:00 Hi @Nathanael Santschi ,
I am checking internally with the product team regarding your requirement and the issue that you are currently facing. I shall hopefully update you with some insights and findings at the earliest possible.
On the other hand to fast-track resolution of your issue, please send mail to AzCommunity@microsoft.com including your subscriptioin ID and a link to this thread (for context) and my team will work with you via our technical support channel. Please include "Attn:Krishna" in the subject line so we can engage asap.
Alternatively, you can raise a technical support request if you have a support plan.
Looking forward to your update.
-
tbgangav-MSFT 10,386 Reputation points
2021-03-02T03:22:05.667+00:00 Hi @Nathanael Santschi ,
We have checked the role and that should work in general. But as it failed so based on the errors is either:
- The service principal doesn’t have enough permissions. Today, Lighthouse does not support delegation of Owner or traditional UAA (User Access Administrator) role.
When you create a service principal, your account must be an Owner or UAA (User Access Administrator) in the subscription that you want to use for onboarding. If you don't have sufficient permissions to create role assignments, the service principal might be created, but it won't be able to onboard machines. - The person running the automated method doesn’t have admin permissions on the machine itself.
The installation methods to install and configure the Connected Machine agent requires that the automated method you use has administrator permissions on the machines.
- The service principal doesn’t have enough permissions. Today, Lighthouse does not support delegation of Owner or traditional UAA (User Access Administrator) role.
Sign in to comment