Error While running the Add-AzVmssExtension command for adding the MMA extension to VMSS

POLINENI Kiran 1 Reputation point
2021-06-08T08:38:21.643+00:00

We have deployed Windows AKS VMSS and Log analytics workspace. For monitoring the VMSS, installing the MMA agent on Windows AKS VMSS by executing the command Add-azvmextension command and observing below error.

"Update-AzVmss: The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/a377775e-028c-4f68-8970-f996cc16b86a/resourceGroups/MC_cldopstd-stamp-centralus-rg_cldopstd-centralus_centralus/providers/Microsoft.Compute/virtualMachineScaleSets/aksagentw', however the current tenant '1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a' is not authorized to access linked subscription '109a5e88-712a-48ae-9078-9ca8b3c81345'.
ErrorCode: LinkedAuthorizationFailed
ErrorMessage: The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/a377775e-028c-4f68-8970-f996cc16b86a/resourceGroups/MC_cldopstd-stamp-centralus-rg_cldopstd-centralus_centralus/providers/Microsoft.Compute/virtualMachineScaleSets/aksagentw', however the current tenant '1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a' is not authorized to access linked subscription '109a5e88-712a-48ae-9078-9ca8b3c81345'.
ErrorTarget:
StatusCode: 403
ReasonPhrase: Forbidden
OperationID : ed4cc9f9-6e9f-4311-8932-72f2e922bfef"

103411-image.png

User has granted the role of Virtual machine contributor with this user can install the MMA extension on VMSS. As per Microsoft documentation Virtual machine contributor role would be fine.

103412-image.png

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,764 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,896 questions
{count} votes

1 answer

Sort by: Most helpful
  1. prmanhas-MSFT 17,891 Reputation points Microsoft Employee
    2021-06-09T06:54:53.72+00:00

    @POLINENI Kiran Apologies for the delay in response and all the inconvenience caused because of the issue.

    The mentioned issue is not because of the permission access to user but is more around the Subscription in which you are trying to do so.

    As mentioned here:

    Message: The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope <resourceID>, however the current tenant <tenantID> is not authorized to access linked subscription <subscriptionID>.

    Cause: The virtual machine or scale set was created through a SIG image in another tenant. You've tried to make a change to the virtual machine or scale set, but you don't have access to the subscription that owns the image.

    Workaround: Contact the owner of the subscription of the image version to grant read access to the image version.

    As per error message as well he client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '/subscriptions/a377775e-028c-4f68-8970-f996cc16b86a which is the current subscription you are in and this image is in '109a5e88-712a-48ae-9078-9ca8b3c81345' hence you can make use of above workaround.

    Hope it helps!!!

    Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.