I have my roles delegated, I am in the correct AD groups on my tenant.
However, when I got into a Logic App, and try to assign a System Assigned Managed Identity, I keep on getting the following error message:
Failed to add Resource as Microsoft Sentinel Contributor for RGNAME : The client 'MYUSERACCOUNT' with object id 'OBJECTID' has an authorization with ABAC condition that is not fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/SUB/resourceGroups/RG/providers/Microsoft.Authorization/roleAssignments/AssignmentID' or the scope is invalid. If access was recently granted, please refresh your credentials..
I have attached my lighthouse offer, I have assigned UserAccessAdministrator as this has Role Assignments Write privilege's, I have delegated the roles that it can add, which we'd need for our logic apps.
Line 24 Enter TenantID
Lines 33, 38, 43, 48, 53, 58, 63, 76, 93 - Need to have the AD Groups ID from the root tenant
Line 106 needs the ResourceGroup of the customers Sub, within the quotes.
I'm not sure what else I'd need to do, but this is the major sticking point for us, as we are moving all of our customers to System Assigned Managed Identities for most of our Logic Apps.
SUPPORT TICKET FOR MSFT LIGHTHOUSE OFFER.txt
Any wisdom is hugely appreciated.