Share via

SYSTEM DENY ASSIGNMENT while creating event hub

Akancha Sinha 0 Reputation points
2024-09-10T11:50:24.3133333+00:00

I am trying to create event hub for structured streaming in azure databricks , but getting below error though i am the global administrator of this account.

The client 'live.com#akanchasinha219301@gmail.com' with object id '41c037d3-d0b4-41f0-8baf-45c6dd9e85b8' has permission to perform action 'Microsoft.Resources/deployments/validate/action' on scope '/subscriptions/34abacac-399c-4915-a7e0-8108d7065a3b/resourceGroups/databricks-rg-DatabricksDemo-itdhqrl7p5ys2/providers/Microsoft.Resources/deployments/event-hub-databricks-demo'; however, the access is denied because of the deny assignment with name 'System deny assignment created by Azure Databricks /subscriptions/34abacac-399c-4915-a7e0-8108d7065a3b/resourceGroups/Databrick_resource_group/providers/Microsoft.Databricks/workspaces/DatabricksDemo' and Id '2957c2fe05644bc7a0d937bfa4d49a83' at scope '/subscriptions/34abacac-399c-4915-a7e0-8108d7065a3b/resourceGroups/databricks-rg-DatabricksDemo-itdhqrl7p5ys2'. (Code: DenyAssignmentAuthorizationFailed)

Azure Event Hubs
Azure Event Hubs
An Azure real-time data ingestion service.
630 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. PRADEEPCHEEKATLA-MSFT 88,876 Reputation points Microsoft Employee
    2024-09-11T03:00:28.03+00:00

    @Akancha Sinha - Thanks for the question and using MS Q&A platform.

    This is an known issue when you try to modify any associated resources with the Managed resource group.

    What is Managed Resource Group?

    This resource group holds all the resources that are required by the managed application. For example, this resource group contains the virtual machines, storage accounts, and virtual networks for the solution. The customer has limited access to this resource group because the customer doesn't manage the individual resources for the managed application.

    Is it possible to modify or delete the Managed Resource Group?

    When we create a Azure Databricks workspace, by design it will automatically create Databricks Managed resource Group. The managed resource group must exist as this is where your cluster(s) will be created. To ensure that nothing breaks them, they are placed in a separate resource group (managed resource group) that has a super lock on it so you cannot modify anything in it.

    This deny assignment is preventing you from accessing the underlying resources.

    For more details refer to below links:

    Azure Policy - Deny assignments: https://docs.microsoft.com/en-us/azure/role-based-access-control/deny-assignments

    SO thread addressing similar issue: https://stackoverflow.com/questions/73064767/how-to-override-deny-assignment-so-that-i-can-access-the-databricks-managed-stor

    Note: Trying to create event hub for structured streaming in azure databricks doesn't require any modification in the resources in databricks managed resources.

    Diagram showing a reference architecture for stream processing with Azure Databricks.

    The below articles explains how to use streaming with Azure Event Hubs & Databricks:

    Structured Streaming with Azure Event Hubs and Azure Databricks clusters

    Stream processing with Azure Databricks

    Stream data from Event hub to Databricks.

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.