Azure Policy Definition Permission Error : AuthorizationFailed

1
votes

I am defining a custom azure policy by using this azure template (official github repo of azure). As a parameter, i am just passing the log analytics workspace name in the param. The below powershell code (taken from the azure repo) is used for that purpose, i have just added -AssignIdentity to the second command as it is necessary. As a role definition, i give owner of subscription rights inside the template.

$definition = New-AzPolicyDefinition -Name "deploy-oms-vm-extension-windows-vm" -DisplayName "Deploy default Log Analytics VM Extension for Windows VMs." -description "This policy deploys the Log Analytics VM Extensions on Windows VMs, and connects to the selected Log Analytics workspace." -Policy 'https://raw.githubusercontent.com/Azure/azure-policy/master/samples/Compute/deploy-oms-vm-extension-windows-vm/azurepolicy.rules.json' -Parameter 'https://raw.githubusercontent.com/Azure/azure-policy/master/samples/Compute/deploy-oms-vm-extension-windows-vm/azurepolicy.parameters.json' -Mode Indexed 
$definition
$assignment = New-AzPolicyAssignment -Name <assignmentname> -Scope <scope> -logAnalytics <logAnalytics> -PolicyDefinition $definition -AssignIdentity
$assignment

The policy is created correctly. But when i try to create a remediation task, the task fails and i get the error below:

Details Code AuthorizationFailed Message The client 'xxxx-xxx-xxxx-xxxx-xxxx' with object id 'xxxx-xxx-xxxx-xxxx-xxxx' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/xxxx-xxx-xxxx-xxxx-xxxx/resourcegroups/rg-test/providers/Microsoft.Resources/deployments/PolicyDeployment_17825756917269472742' or the scope is invalid. If access was recently granted, please refresh your credentials.

On the portal, i see that the policy definition has owner rights as i have defined. enter image description here But i also see this on the policy remediation page: enter image description here

I don't understand the reason of this error. Does someone have any idea?

2
azureazure-managed-identityazure-policy
May I know how did you create remediation task ?Hury Shen
Through portal.MoonHorse

2 Answers

0
votes

According to some test, it may be caused by your account permission. I don't think it has anything to do with the role of your policy definition.

One case to show the same error message is do the operation with wrong subscription or wrong resource group, but I think it's a very low probability to choose wrong subscription or resource group because you do it on portal.

The other case to show this error message is what I test in my side. I test with one account hasn't be assigned a role which have enough permission, it shows same error message. So please check your account role and assign a role with higher permission, then create remediation task.

0
votes

I have found a solution. So the managed identity created during the New-AzPolicyAssignment command execution, is not created with the right permission. The workaround solution is like this:

$definition = New-AzPolicyDefinition -Name "deploy-oms-vm-extension-windows-vm" -DisplayName "Deploy default Log Analytics VM Extension for Windows VMs." -description "This policy deploys the Log Analytics VM Extensions on Windows VMs, and connects to the selected Log Analytics workspace." -Policy 'https://raw.githubusercontent.com/Azure/azure-policy/master/samples/Compute/deploy-oms-vm-extension-windows-vm/azurepolicy.rules.json' -Parameter 'https://raw.githubusercontent.com/Azure/azure-policy/master/samples/Compute/deploy-oms-vm-extension-windows-vm/azurepolicy.parameters.json' -Mode Indexed 
$assignment = New-AzPolicyAssignment -Name <assignmentname> -Scope <scope> -logAnalytics <logAnalytics> -PolicyDefinition $definition -AssignIdentity

## Get newly created policy assignment object
$PolicyAssignment = Get-AzPolicyAssignment -Name $assignmentname -Scope $scope

## Extract the RoleID and ObjectID
$roleDefinitionId = [GUID]($definition.properties.policyRule.then.details.roleDefinitionIds -split "/")[4]
$objectID = [GUID]($PolicyAssignment.Identity.principalId)

## Create a role assignment from the previous information
New-AzRoleAssignment -Scope $scope -ObjectId $objectID -RoleDefinitionId $roleDefinitionId

There is a already opened issue here. I have adapted the solution from there.