question

teshayat avatar image
0 Votes"
teshayat asked MarcHornung-7035 commented

Devops Pipeline

Hi there,

I'm trying to create a DevOps pipeline for an Azure Function.

I'm an external user/Guest to a tenant.
In the tenant, there's one Security group which I am owner and that Security group has contributor access to two resource groups.


But when I try to create a pipeline from my tenant, It's giving me this error


Failed to set Azure permission 'RoleAssignmentId: ba8f4bc9-8fce-xxx-xxxxx-xxxxxxx' for the service principal '54dd-xxx-xxxx-xxxxxxxxxx' on subscription ID '548af2ae-xxx-xxxxxxxxxxxx': error code: Forbidden, inner error code: AuthorizationFailed, inner error message The client 'hasin.xxxxxxxxx@' with object id '957d-5cxxxdxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/b4e3-c8xxxx' or the scope is invalid. If access was recently granted, please refresh your credentials. Ensure that the user has 'Owner' or 'User Access Administrator' permissions on the Subscription.

The Admin gave me User Administrator but it is still giving me the same error.

I can't find any Build In roles that can do this. Moreover this right is not in Microsoft.Authorization/roleAssignments/write custom roles right list.

I couldn't find any other way.

Any help would be appreciated.

Thanks


azure-dev-tool-integrations
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@HasinEshayat-7121, Microsoft respects your privacy. We request you not to share any PII information on the public forum (e.g. your subscription ID, phone number, email id -we have concealed these in your post).

0 Votes 0 ·

Noted.
Thanks

0 Votes 0 ·
JaiVerma-7010 avatar image
0 Votes"
JaiVerma-7010 answered ajkuma-MSFT edited

could you check if the subscription subscription ID '548axxxe-xxxx-xxxxxxxxxx' is exactly the same where you are creating pipeline?


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Jay

Yes, It's the same.

0 Votes 0 ·
teshayat avatar image
0 Votes"
teshayat answered ajkuma-MSFT edited

Yes, It's the same.

8656-configurepipeline.jpg









Update: Edited the image to conceal PII information.



configurepipeline.jpg (120.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sam-Cogan avatar image
1 Vote"
Sam-Cogan answered MarcHornung-7035 commented

You mention you were given the "User Administrator" right, assuming this is not a typo then it will not give you the rights you need, as this is an Azure AD role. What you need is "User Access Administrator", this and "Owner" are the only two built in roles with the Microsoft.Authorization/roleAssignments/write permission.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Sam,

Thanks for your comment. I can't find the User Access Administrator role in the built-in Role list.

8743-untitled.png


Moreover, this Microsoft.Authorization/roleAssignments/write permission right is not on the custom role right list. That's why admin couldn't give me the access.

Can you tell, how it can be done.

Thank you for your help.


1 Vote 1 ·
untitled.png (82.8 KiB)

You can find this role on your subscription8713-subscription.png


1 Vote 1 ·
subscription.png (56.2 KiB)

Thanks a lot.

That helped.

0 Votes 0 ·

Thanks for the clear description, this answered my question. This is not an optimal requirement. A developer in my organization usually only has permissions on resource groups. To handout "User Access Administrator" or "Owner" permissions on the entire subscription is no desirable, we probably need to involve one of our Azure admins to perform these steps or to create many subscriptions to separate access.

1 Vote 1 ·

Saved us after removing old dev from system and secret expired. Thanks a ton!!!

0 Votes 0 ·