https://pulumi.com logo
Powered by
#azure
Title
# azure
s

straight-sunset-92336

05/05/2022, 1:45 PM
I'm trying to create a Management Group, but it fails no matter what I try. This is the code for creating it:
Copy code
const managementGroup = new management.ManagementGroup("managementGroup", {
            details: {
                parent: {
                    id: "/providers/Microsoft.Management/managementGroups/<id of parent group>",
                },
            },
            displayName: args.groupname,
            groupId: groupid,
            name: groupid,
        });
groupid is prepared like this:
Copy code
const groupid = randomUuid.id.apply(id => {
            if (id === undefined) {
                throw new Error("Id is undefined");
            }
            return id;
        });
This is the error message I get:
Copy code
error: cannot check existence of resource '/providers/Microsoft.Management/managementGroups/<group id of new group>': status code 403, {"error":{"code":"AuthorizationFailed","message":"The client '<my serviceprincipal object id>' with object id '<my serviceprincipal object id>' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management/managementGroups/<group id of new group>' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
The servicePrincipal has "Management Group Contributor" role on the Tenant Root Group
c

clean-truck-93285

05/05/2022, 10:38 PM
The root management group requires special elevated permissions for interaction. My guess is you trying to create a management group under root. Do you get the same problem if you target none root management group and permissions assigned there? I will try and run a test tomorrow and see if my theory accurate.
Confirmed I had to have user access enabled to create management groups under root. I got the same error you posted in original message.
s

straight-sunset-92336

05/06/2022, 5:56 PM
What RBAC role does the serviceprincipal need. I'm trying to create the management group under a sub-management group.,
c

clean-truck-93285

05/06/2022, 6:02 PM
This where things gets weird. I also had to be on user access for sub management groups. I also couldn't enable hierarchical permissions with user access enabled. Provisioning manually through the portal works fine without user access. I missing something or something broke. I would pop a Microsoft ticket and see if they can provide any insight.
7 Views
Powered by