I have a requirement to check if Management Group exists or not and then I have to create a new management group based on it. Below is my script
$myManagementGroupName = 'NewGroup'
$parentManagementGroup ='Dev'
$Message = ''
if(($parentManagementGroup -eq "") -and ($myManagementGroupName -ne "")) #Create Management Group inside Root Management Group
{
Get-AzManagementGroup -GroupName $myManagementGroupName -ErrorVariable notPresent -ErrorAction SilentlyContinue
if ($notPresent)
{
Create unique Management Group
New-AzManagementGroup -GroupName $myManagementGroupName
$Message = 'Management Group '+$myManagementGroupName+' created successfully !'
}
else
{
Management Group exist
$Message = 'The Group with specified name already exist!'
}
}
elseif(($parentManagementGroup -ne "") -and ($myManagementGroupName -ne "")) #Create Management Group inside specific Management Group
{
$parentGroup = Get-AzManagementGroup -GroupName $myManagementGroupName
$targetParentGroup = Get-AzManagementGroup -GroupName $parentManagementGroup
if(($parentGroup.ParentName -ne $parentManagementGroup))
{
Create unique child Management Group
$GroupId = New-Guid
New-AzManagementGroup -GroupName $GroupId -DisplayName $myManagementGroupName -ParentId $targetParentGroup.Id
$Message = 'Management Group '+$myManagementGroupName+' created successfully !'
}
else
{
Management Group exist
$Message = 'The Management Group ' +$myManagementGroupName+' already exist in '+$parentManagementGroup+' Management Group'
}
}
else{
#Notify user about groupname should not be empty
$Message = 'Please provide Management GroupName !'
}
Echo $Message
If I run this script manually from my laptop, it is working where as If I run the script from Azure function I am getting below error.
[Error] ERROR: The client 'XXXXXX-XXX-XXXX-XXXX-XXXXXXXXX' with object id 'XXXXXX-XXXXX-XXXXXXXXXXX' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management/managementGroups/Newgroup' or the scope is invalid.
After this, I would like to create a new subscription and assign it to this newly created management group.
How to assign permission to Azure function only while running the script.
Kindly let us know how to execute this function with the required permission.