0

Our network engineer left the company for another opportunity and I inherited the role of Network Engineer. I was trying to RDP to one of our Virtual Machine, but could never connect. I want to reboot the server, and every time i click on restart or stop, I get the following error:

Failed to restart the virtual machine 'DC-AZUREPOLK-02'. Error: The client 'XXXXXXXX@XXX.XXX' with object id 'a11ede69-8ab4-4a9a-82cb-c74fe972070d' does not have authorization to perform action 'Microsoft.Compute/virtualMachines/restart/action' over scope 'RG-POLK-PROD/providers/Microsoft.Compute/virtualMachines/DC-AZUREPOLK-02'>DC-AZUREPOLK-02' or the scope is invalid. If access was recently granted, please refresh your credentials.

I'm fairly new to Azure and trying to find my way around and I don't know where to go to resolve this issue and looking for a little to resolve.

Usama Abdulrehman
  • 179
  • 1
  • 9
Freddie Acevedo
  • 1
  • 1

1 Answers1

0

This is explained in a GitHub issue:

The service principal you are using doesn't have rights within that tenant.

Tenants have subscriptions and service principals belong to tenants. Azure resource manager also exposes role based authorization for a given principal, which would give it rights on Azure resources. It appears the service principal doesn't have rights to read from that subscription.

This is a really common issue. We've added a specific command in Azure CLI (https://github.com/Azure/azure-cli) to setup a service principal for automation with role based authorization already baked in.

You want to use the az ad sp create-for-rbac command.

Community
  • 1
Henrik Pingel
  • 9,380
  • 2
  • 28
  • 39