Devops Pipeline

Tahmid Eshayat 286 Reputation points
2020-05-26T06:25:57.603+00:00

Hi there,

I'm trying to create a DevOps pipeline for an Azure Function.

I'm an external user/Guest to a tenant.
In the tenant, there's one Security group which I am owner and that Security group has contributor access to two resource groups.

But when I try to create a pipeline from my tenant, It's giving me this error

Failed to set Azure permission 'RoleAssignmentId: ba8f4bc9-8fce-xxx-xxxxx-xxxxxxx' for the service principal '54dd-xxx-xxxx-xxxxxxxxxx' on subscription ID '548af2ae-xxx-xxxxxxxxxxxx': error code: Forbidden, inner error code: AuthorizationFailed, inner error message The client 'hasin.xxxxxxxxx@' with object id '957d-5cxxxdxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/b4e3-c8xxxx' or the scope is invalid. If access was recently granted, please refresh your credentials. Ensure that the user has 'Owner' or 'User Access Administrator' permissions on the Subscription.

The Admin gave me User Administrator but it is still giving me the same error.

I can't find any Build In roles that can do this. Moreover this right is not in Microsoft.Authorization/roleAssignments/write custom roles right list.

I couldn't find any other way.

Any help would be appreciated.

Thanks

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
40,238 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Sam Cogan 10,757 Reputation points MVP
    2020-05-26T08:48:35.033+00:00

    You mention you were given the "User Administrator" right, assuming this is not a typo then it will not give you the rights you need, as this is an Azure AD role. What you need is "User Access Administrator", this and "Owner" are the only two built in roles with the Microsoft.Authorization/roleAssignments/write permission.

    1 person found this answer helpful.

  2. Jai Verma 461 Reputation points
    2020-05-26T07:27:03.91+00:00

    could you check if the subscription subscription ID '548axxxe-xxxx-xxxxxxxxxx' is exactly the same where you are creating pipeline?


  3. Tahmid Eshayat 286 Reputation points
    2020-05-26T07:32:14.863+00:00

    Yes, It's the same.

    8656-configurepipeline.jpg

    Update: Edited the image to conceal PII information.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.