Search This Blog

Thursday, May 20, 2021

Error when Granting Access to the User at tenant root scope “/” to deploy Enterprise-Scale

Description:

You want to deploy Enterprise-Scale Architecture at your Azure Environment.

One of the prerequisite is to explicitly provide roleAssignment (RBAC) at the tenant root scope via CLI or PowerShell (Note: There’s no portal UX to make this roleAssignment)

However several error occurred when you try to run the following command at Azure CLI to provide the role Assignment.

  • az login

Error message: The following tenants don't contain accessible subscriptions. Use 'az login --allow-no-subscriptions' to have tenant level access.

  • az role assignment create --scope '/'  --role 'Owner' --assignee-object-id $(az ad signed-in-user show --query  objectId)

Error message: Failed to query --assignee-principal-type for "7786a679-034b-42cc-a23a-xxxxxxxxxxxx" by invoking Graph API. RBAC server might reject creating role assignment without --assignee-principal-type in the future. Better to specify --assignee-principal-type manually. The Principal ID '"7786a679-034b-42cc-a23a-xxxxxxxxxxxx"' is not valid. Principal ID must be a GUID.

Resolution:

To fix the issue, the command needs some small changes. Instead of using the above command, try to use the following command:

  • az login -t yourdomainname.onmicrosoft.com
  • az role assignment create --scope '/'  --role 'Owner' --assignee-object-id "7786a679-034b-42cc-a23a-xxxxxxxxxxx"

No comments:

Search Google