Azure Policy assignment

phasse 96 Reputation points

I am trying to assign a policy via terraform. I am the owner of the management group however I do not understand why I am getting this exception:

Error: checking for presence of existing Policy Definition "policy_definition_uc_enforce_tag_businessunit": policy.DefinitionsClient#GetAtManagementGroup: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '**********' with object id 'ec311ed9-a620-4d3f-87bc-57b47e688fec' does not have authorization to perform action 'Microsoft.Management/managementgroups/Microsoft.Management/BOB/Microsoft.Authorization/policy_definition_uc_enforce_tag_businessunit/read' over scope '/providers/Microsoft.Management/managementgroups/providers/Microsoft.Management/managementGroups/BOB/providers/Microsoft.Authorization/policyDefinitions' or the scope is invalid. If access was recently granted, please refresh your credentials."

Any help much appreciated

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
754 questions
0 comments No comments
{count} votes

Accepted answer
  1. phasse 96 Reputation points

    Actually I found the problem:

    I am creating the policy definitions and initiatives using Terraform. azurerm_policy_definition has an optional argument - management_group_name. I was originally just creating the definitions without providing this argument however when I wanted to assign the policy to a management group it threw the above exception. It seems you need to specify the management_group_name in the definition in order to assign the definitions to child resources.

0 additional answers

Sort by: Most helpful