Answering my own question (after contacting Azure support): The policy definition is correct and the error is expected behaviour. One needs role reader rights to the management group, not just the subscription, for this to work.
Why does my custom policy try to get access to Management Group rights?
Hi,
I have am trying to write a custom policy that makes sure that a user group has a specific role within all resource groups that have a specific tag (see code below). When the policy gets evaluated, it fails with the error message:
"Failed to retrieve compliance details for the resource."
"Encountered an error while authorizing the client '[my user]' with object id '[my user id]' on action 'Microsoft.Authorization/roleAssignments/read' over scope '/providers/Microsoft.Management/managementGroups/[our top-level management group id]/providers/Microsoft.Authorization/roleAssignments/[an id I don't recognize]'."
I am guessing this indicates that the policy is trying to get rights in the management group scope? I am an owner for the subscription (to which the policy assignment is scoped), but not the management group. Is this correct and if so, how do I limit the policy to the subscription? If not, what is going wrong?
Thanks.
{
"properties": {
"displayName": "somename",
"policyType": "Custom",
"mode": "All",
"description": "Test policy",
"metadata": {
"category": "some_category",
},
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags['team']",
"equals": "some_team"
}
]
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Authorization/roleAssignments",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"equals": "/subscriptions/[mysubscriptionid]/providers/Microsoft.Authorization/roleDefinitions/[cost management reader role id]"
},
{
"field": "Microsoft.Authorization/roleAssignments/principalId",
"equals": "[id of a specific group]"
}
]
}
}
}
}
},
2 answers
Sort by: Most helpful
-
-
tbgangav-MSFT 10,386 Reputation points
2022-07-06T14:33:19.483+00:00 Hi @Mark Ryan
Glad to know that you have self-resolved the question after contacting Azure support and thanks for sharing the answer. This would greatly benefit the other members of the Microsoft Q&A community who might be looking for similar information.