Hello @Andrew · Thank you for reaching out.
Looking at the error, the application is getting 403 (forbidden) for the action 'Microsoft.Authorization/roleAssignments/write'
. Since the <application_object_id> ID is assigned with the Contributor role, and contributor role doesn't include permission to assign roles in Azure RBAC. This is documented here: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor.
To resolve the issue, you have 2 options:
- Assign the Application with Owner role. However, this is not a best practice as security principals should be granted with the least privilege needed to perform a given job.
- Create a custom role with roleAssignments/write permission and assign this role to the application. I would suggest you to prefer this option over the first one.
In your case, you can export the Contributor Role and update it to include roleAssignments/write permission. Below are the steps that you can follow for this purpose:
- Run
Connect-AzAccount
cmdlet and sign-in with the subscription owner account. If you don't have Az Module installed, please refer to Install Azure PowerShell. - Run
Get-AzRoleDefinition contributor | ConvertTo-Json > c:\temp\rbac.json
to export the Contributor role to a JSON file. - Open the JSON file in notepad or any other text editor and remove
"Microsoft.Authorization/*/Write",
line under NotActions section. - Also update Name, Id, IsCustom, Description and AssignableScopes parameters. Please refer to below sample for your reference: {
"Name": "Custom Contributor",
"Id": "1a200ac6-5a49-4198-9403-0af86342bd35",
"IsCustom": true,
"Description": "Grants full access to manage all resources, allow you to assign roles in Azure RBAC but not delete roles in Azure RBAC manage assignments in Azure Blueprints, or share image galleries.",
"Actions": [
""
],
"NotActions": [
"Microsoft.Authorization//Delete",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action"
],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/TYPE_YOUR_SUBSCRIPTION_ID_HERE"
]
} - Run
New-AzRoleDefinition -InputFile "C:\temp\rbac.json"
to create Custom RBAC role using the above JSON file. - Run
Get-AzRoleDefinition -Name "custom contributor"
cmdlet to view the role.
Note: The new RBAC role might not appear in Azure Portal immediately. To see the new role in Azure Portal immediately, sign out from Azure Portal, close the browser and sign back in.
Finally, assign the Custom Contributor RBAC role to the Application. You should no longer get the StatusCode=403 error for role assignments and should return StatusCode=201 (Created).
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.