1

I'm encountering an authorization issue while attempting to deploy a resource in Microsoft Azure. The deployment is failing with the following error message:

Error

the setup.ps1 file that I ran : https://github.com/MicrosoftLearning/mslearn-synapse/blob/master/Allfiles/Labs/01/setup.ps1

I've reviewed the error message and understand that the issue is related to insufficient permissions for the user (Already have a contributor role) . However, I'm unsure about the specific permissions and role assignments needed to resolve this issue. Could someone provide guidance on which permissions or roles I should grant to ensure a successful deployment?

Sridevi
  • 10,599
  • 1
  • 4
  • 17
zineb98
  • 11
  • 1
  • you are getting the error while you are trying to deploy a storage account? – DileeprajnarayanThumula Aug 30 '23 at 10:37
  • 1
    Contributor cannot set role assignments in Azure RBAC. You need Contributor + User Access Administrator. Or just Owner role. – juunas Aug 30 '23 at 11:02
  • @juunas This training session is intended for trainees to carry out, and because of security concerns, providing trainees with "Owner" rights is not a viable option. This is the reason why we're looking for advice regarding the exact permissions or roles that can be allocated to the trainees' accounts. If you have recommendations for the essential minimum permissions that enable trainees to successfully finish the workshop assignments while upholding security standards, I would highly value your input. – zineb98 Aug 30 '23 at 11:54
  • @zineb98: Good to accept the solution if it has helped. This is for the benefit of the SO Community, refer SO [link](https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work/5235#5235) – SPT Sep 03 '23 at 05:41

1 Answers1

1

If you have Contributor role, you may not assign RBAC roles to Azure resources. Know more about Role based access control/Built in roles.

To resolve the error you are facing, you need to assign user with the User Access Administrator or Owner role that includes below permission: Microsoft.Authorization/roleAssignments/write

If you want the least privileges instead of assigning Owner role, you can follow the below steps create custom RBAC role:

Azure Portal>> Navigate to Subscriptions >> Go to your Subscription >> Next go to Access control (IAM) >> Click + Add >>Then Add custom role

enter image description here

enter image description here

Delete the Microsoft.Authorization/roleAssignments/write Permission.

enter image description here Click NEXT and add Write ACTION permission. enter image description here

Now you can see that Microsoft.Authorization/roleAssignments/write Permission Type is changed to ACTION.

enter image description here

enter image description here

After creating custom RBAC role, assign this role to user under subscription like this: enter image description here

By following the above steps you can resolve the issue permissions and role assignments.

DileeprajnarayanThumula
  • 643
  • 2
  • 5
  • Good to accept the solution if it has helped. This is for the benefit of the SO Community, refer SO [link](https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work/5235#5235) – SPT Sep 03 '23 at 05:41