Azure Ligthouse User Access Admin group not working

ObnoxiousRicotta 5 Reputation points
2023-05-16T15:45:33.9466667+00:00

In Azure AD I am assigned to an Azure Lighthouse group that is supposed to give me the 'User Access Administrator' role to all subscriptions from another tenant that is enrolled in Lighthouse. When I view my access on the subscriptions, I can see that my user has the 'User Access Administrator' role assigned.

I am trying to assign the reader role to a managed identity (MI) within the other tenant's subscription, but I get this error message: "Failed to add <MI name> as Reader for <subscription name>: The client <client> with object id <object id> does not have authorization or an ABAC condition not fulfilled to perform action 'Microsoft.Authorization/roleAssignments' over scope <subscription scope> or the scope is invalid. If access was recently granted, please refresh your credentials.."

I have tried to do it with Azure CLI and Azure PS as well, but I get the same error message.

This is the condition that is set on the role assignment of the Azure AD group:

@Action[Id] StringNotEqualsAnyOfIgnoreCase {'Microsoft.Authorization/roleAssignments/write', 'Microsoft.Authorization/roleAssignments/delete'} || (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] StringEqualsAnyOfIgnoreCase { 'b24988ac-6180-42a0-ab88-20f7382dd24c','acdd72a7-3385-48ef-bd42-f606fba81ae7' } && EXISTS @Resource[Microsoft.Authorization/roleAssignments:DelegatedManagedIdentityResourceId] && @Resource[Microsoft.Authorization/roleAssignments:DelegatedManagedIdentityResourceId] StringNotEqualsIgnoreCase '')



Do I get the error because of this condition? Or is there something else that I don't know about?

Thanks

Azure Lighthouse
Azure Lighthouse
An Azure service that provides secure managed services and access control for partners and customers.
80 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
852 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,650 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Andrew Blumhardt 9,866 Reputation points Microsoft Employee
    2023-05-16T20:36:08.5733333+00:00
    0 comments No comments

  2. Sandeep G-MSFT 20,266 Reputation points Microsoft Employee
    2023-05-19T06:58:52.9066667+00:00

    @ObnoxiousRicotta

    As per prerequisites for assigning a role to managed Identity, you just need below permission,

    however, as per your description you already have this permission set on your account.

    You can confirm once again and check if your account has above permission listed in roles.

    You can use below command to confirm the same,

    Get-AzRoleAssignment -SignInName john.doe@contoso.com

    Above command will get all role assignments made to user john.doe@contoso.com, and the groups of which he is member.

    Let me know if above solution helps you.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  3. Luciano Pereira 0 Reputation points
    2023-06-13T17:55:20.41+00:00

    I'm having the exact same issue. And I'm also wondering if the condition created in the User Access Administrator role assignment is correct, since it shows an error in the Azure Portal.

    User's image

    In case the condition's syntax is not correct. Then it seems like there is a bug when creating a Lighthouse offer with User Access Administrator role assignment that includes delegated role definitions

    @ObnoxiousRicotta Did you have any luck solving this issue?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.