error when running Get-AzManagementGroup PowerShell Command from Azure function

Muralidhar Kumar 1 Reputation point
2021-09-14T04:27:08.87+00:00

I have a requirement to check if Management Group exists or not and then I have to create a new management group based on it. Below is my script

$myManagementGroupName = 'NewGroup'
$parentManagementGroup ='Dev'
$Message = ''
if(($parentManagementGroup -eq "") -and ($myManagementGroupName -ne "")) #Create Management Group inside Root Management Group
{
Get-AzManagementGroup -GroupName $myManagementGroupName -ErrorVariable notPresent -ErrorAction SilentlyContinue

if ($notPresent)
{

Create unique Management Group

    New-AzManagementGroup -GroupName $myManagementGroupName
    $Message = 'Management Group '+$myManagementGroupName+' created successfully !'
}
else
{

Management Group exist

    $Message = 'The Group with specified name already exist!'
}

}
elseif(($parentManagementGroup -ne "") -and ($myManagementGroupName -ne "")) #Create Management Group inside specific Management Group
{
$parentGroup = Get-AzManagementGroup -GroupName $myManagementGroupName
$targetParentGroup = Get-AzManagementGroup -GroupName $parentManagementGroup
if(($parentGroup.ParentName -ne $parentManagementGroup))
{

Create unique child Management Group

     $GroupId = New-Guid
     New-AzManagementGroup -GroupName $GroupId -DisplayName $myManagementGroupName -ParentId $targetParentGroup.Id
     $Message = 'Management Group '+$myManagementGroupName+' created successfully !'
  }
  else
  {

Management Group exist

    $Message = 'The Management Group ' +$myManagementGroupName+' already exist in '+$parentManagementGroup+' Management Group'
  }

}
else{
#Notify user about groupname should not be empty
$Message = 'Please provide Management GroupName !'
}
Echo $Message

If I run this script manually from my laptop, it is working where as If I run the script from Azure function I am getting below error.

[Error] ERROR: The client 'XXXXXX-XXX-XXXX-XXXX-XXXXXXXXX' with object id 'XXXXXX-XXXXX-XXXXXXXXXXX' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management/managementGroups/Newgroup' or the scope is invalid.

After this, I would like to create a new subscription and assign it to this newly created management group.
How to assign permission to Azure function only while running the script.

Kindly let us know how to execute this function with the required permission.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,321 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,556 Reputation points
    2021-09-14T08:33:12.847+00:00

    Hello @Muralidhar Kumar ,

    Thanks for reaching out.

    Can you please check if the right permissions have been granted to the client ID you are using to run the PowerShell cmdlet. You need Management Group Reader/Management Group Contributor role to access the management group.

    You can go to your management group to verify if The client 'XXXXXX-XXX-XXXX-XXXX-XXXXXXXXX' with object id 'XXXXXX-XXXXX-XXXXXXXXXXX' have been granted as shown, if not then click on "Add" to assign either of Reader or Contributor role. Hope this helps.

    131837-image.png

    Here is similar post from Microsoft Q&A.

    ---
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.
    0 comments