Answering my own question (after contacting Azure support): The policy definition is correct and the error is expected behaviour. One needs role reader rights to the management group, not just the subscription, for this to work.
Why does my custom policy try to get access to Management Group rights?

Mark Ryan
1
Reputation point
Hi,
I have am trying to write a custom policy that makes sure that a user group has a specific role within all resource groups that have a specific tag (see code below). When the policy gets evaluated, it fails with the error message:
"Failed to retrieve compliance details for the resource."
"Encountered an error while authorizing the client '[my user]' with object id '[my user id]' on action 'Microsoft.Authorization/roleAssignments/read' over scope '/providers/Microsoft.Management/managementGroups/[our top-level management group id]/providers/Microsoft.Authorization/roleAssignments/[an id I don't recognize]'."
I am guessing this indicates that the policy is trying to get rights in the management group scope? I am an owner for the subscription (to which the policy assignment is scoped), but not the management group. Is this correct and if so, how do I limit the policy to the subscription? If not, what is going wrong?
Thanks.
{
"properties": {
"displayName": "somename",
"policyType": "Custom",
"mode": "All",
"description": "Test policy",
"metadata": {
"category": "some_category",
},
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags['team']",
"equals": "some_team"
}
]
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Authorization/roleAssignments",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"equals": "/subscriptions/[mysubscriptionid]/providers/Microsoft.Authorization/roleDefinitions/[cost management reader role id]"
},
{
"field": "Microsoft.Authorization/roleAssignments/principalId",
"equals": "[id of a specific group]"
}
]
}
}
}
}
},