Lighthouse Offer - I cannot add System Managed Identities to my customers Logic Apps

cc007 0 Reputation points
2024-10-18T09:48:45.4133333+00:00

I have my roles delegated, I am in the correct AD groups on my tenant.

However, when I got into a Logic App, and try to assign a System Assigned Managed Identity, I keep on getting the following error message:

Failed to add Resource as Microsoft Sentinel Contributor for RGNAME : The client 'MYUSERACCOUNT' with object id 'OBJECTID' has an authorization with ABAC condition that is not fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/SUB/resourceGroups/RG/providers/Microsoft.Authorization/roleAssignments/AssignmentID' or the scope is invalid. If access was recently granted, please refresh your credentials..

I have attached my lighthouse offer, I have assigned UserAccessAdministrator as this has Role Assignments Write privilege's, I have delegated the roles that it can add, which we'd need for our logic apps.

Line 24 Enter TenantID
Lines 33, 38, 43, 48, 53, 58, 63, 76, 93 - Need to have the AD Groups ID from the root tenant
Line 106 needs the ResourceGroup of the customers Sub, within the quotes.

I'm not sure what else I'd need to do, but this is the major sticking point for us, as we are moving all of our customers to System Assigned Managed Identities for most of our Logic Apps.

SUPPORT TICKET FOR MSFT LIGHTHOUSE OFFER.txt

Any wisdom is hugely appreciated.

Azure Lighthouse
Azure Lighthouse
An Azure service that provides secure managed services and access control for partners and customers.
79 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,172 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Kilian 345 Reputation points
    2024-11-19T07:33:13.63+00:00

    To resolve the authorization issue when assigning a System Assigned Managed Identity to your Logic App, try these steps:

    1. Verify Permissions: Ensure your user account has the User Access Administrator role.
    2. Refresh Credentials: Sign out and back in, or use az account clear in Azure CLI.
    3. Check ABAC Conditions: Ensure any ABAC conditions are met.
    4. Enable Managed Identity: Turn on the System Assigned Managed Identity in the Logic App’s Identity settings.
    5. Assign Roles: Assign the necessary roles to the managed identity, like Microsoft Sentinel Contributor.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.