Share via

Granting access to managed identity through Hybrid Agent Extensions Applications group on arc-enabled server NOT working

Jaroslav Urban 0 Reputation points
2024-10-30T13:55:15.71+00:00

Hello,

the Microsoft documentation says (https://github.com/MicrosoftDocs/cloud-adoption-framework/blob/main/docs/scenarios/hybrid/arc-enabled-servers/eslz-identity-and-access-management.md) that the local group "Hybrid Agent Extensions Applications" grants rights to request Azure tokens on Windows machines.

My machine is Windows Server 2022. The installed azcmagent is 1.47.02843.1892. The machine is onboarded and online in Azure Arc on the portal.

I can request tokens using any group / account that belong to the local Administrators group. The Powershell command is "Connect-AzAccount -identity" and afterwards I can issue any azure commands without issues.

However, when I try to do the same with a NON-administrative account that belongs to the group "Hybrid Agent Extensions Applications" as suggested by Microsoft documentation the output is always the same:

WARNING: Unable to acquire token for tenant 'organizations' with error 'ManagedIdentityCredential authentication failed: Access to the path 'C:\ProgramData\AzureConnectedMachineAgent\Tokens\11870d95-9ad5-46f1-8ab7-62defb7aa132.key' is denied.

See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot'

Connect-AzAccount: ManagedIdentityCredential authentication failed: Access to the path 'C:\ProgramData\AzureConnectedMachineAgent\Tokens\11870d95-9ad5-46f1-8ab7-62defb7aa132.key' is denied.

See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot

Why does the correct group membership fail to provide the access rights?

Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
436 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Olufunso Adewumi 605 Reputation points Microsoft Employee
    2024-11-02T22:23:53.1766667+00:00

    Try troubleshooting with these few steps:

    Check File Permissions: Ensure that the “Hybrid Agent Extensions Applications” group has the necessary permissions to access the token file. You can do this by checking the file permissions on C:\ProgramData\AzureConnectedMachineAgent\Tokens\11870d95-9ad5-46f1-8ab7-62defb7aa132.key. Make sure the group has read access to this file.

    1. Group Policy Settings: Verify that there are no Group Policy settings that might be overriding the permissions for the “Hybrid Agent Extensions Applications” group. Sometimes, Group Policy can enforce stricter permissions that might prevent access.
    2. Agent Configuration: Ensure that the Azure Connected Machine agent is correctly configured and that there are no issues with its installation. You might want to reinstall or update the agent to see if that resolves the issue.
    3. Review Documentation: Double-check the Microsoft documentation to ensure that all steps have been followed correctly and that there are no additional requirements or steps that might have been missed.
    4. Azure RBAC: Ensure that the Azure role-based access control (RBAC) settings are correctly configured. The “Hybrid Agent Extensions Applications” group should have the necessary roles assigned to it to request tokens.
    5. Troubleshooting Guide: Follow the troubleshooting guide provided in the error message. It might have specific steps or additional information that can help resolve the issue.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.