Why does my custom policy try to get access to Management Group rights?

Mark Ryan 1 Reputation point
2022-06-29T11:47:04.153+00:00

Hi,
I have am trying to write a custom policy that makes sure that a user group has a specific role within all resource groups that have a specific tag (see code below). When the policy gets evaluated, it fails with the error message: 

"Failed to retrieve compliance details for the resource."  
"Encountered an error while authorizing the client '[my user]' with object id '[my user id]' on action 'Microsoft.Authorization/roleAssignments/read' over scope '/providers/Microsoft.Management/managementGroups/[our top-level management group id]/providers/Microsoft.Authorization/roleAssignments/[an id I don't recognize]'."

I am guessing this indicates that the policy is trying to get rights in the management group scope? I am an owner for the subscription (to which the policy assignment is scoped), but not the management group. Is this correct and if so, how do I limit the policy to the subscription? If not, what is going wrong?

Thanks. 

{  
  "properties": {  
    "displayName": "somename",  
    "policyType": "Custom",  
    "mode": "All",  
    "description": "Test policy",  
    "metadata": {  
      "category": "some_category",  
    },  
    "parameters": {},  
    "policyRule": {  
      "if": {  
        "allOf": [  
          {  
            "field": "type",  
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"  
          },  
          {  
            "field": "tags['team']",  
            "equals": "some_team"  
          }  
        ]  
      },  
      "then": {  
        "effect": "auditIfNotExists",  
        "details": {  
          "type": "Microsoft.Authorization/roleAssignments",  
          "existenceCondition": {  
            "allOf": [  
              {  
                "field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",  
                "equals": "/subscriptions/[mysubscriptionid]/providers/Microsoft.Authorization/roleDefinitions/[cost management reader role id]"  
              },  
              {  
                "field": "Microsoft.Authorization/roleAssignments/principalId",  
                "equals": "[id of a specific group]"  
              }  
            ]  
          }  
        }  
      }  
    }  
  },
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
799 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mark Ryan 1 Reputation point
    2022-07-01T14:53:47.42+00:00

    Answering my own question (after contacting Azure support): The policy definition is correct and the error is expected behaviour. One needs role reader rights to the management group, not just the subscription, for this to work.

    0 comments
  2. tbgangav-MSFT 10,386 Reputation points
    2022-07-06T14:33:19.483+00:00

    Hi @Mark Ryan

    Glad to know that you have self-resolved the question after contacting Azure support and thanks for sharing the answer. This would greatly benefit the other members of the Microsoft Q&A community who might be looking for similar information.

    0 comments