InsufficientPrivilegesForManagedServiceResource

[jpendyala]

I get "InsufficientPrivilegesForManagedServiceResource" error when I run the template. Is linking partner ID a mandatory step? Can I deploy the template without a partner ID?

[krnese]

Can you point me to the template you are deploying?
From an RBAC perspective, we require the customer (who onboard) to be Owner.

[jpendyala]

Thanks for a quick reply @krnese

This is the template I'm using:
https://github.com/Azure/Azure-Lighthouse-samples/blob/master/Azure-Delegated-Resource-Management/templates/delegated-resource-management/delegatedResourceManagement.json

[krnese]

And you are:

1. Deploying this as a user in the customer tenant?
2. The user has Owner permission at the subscription?
3. You deploy it as a subscription level template (New-AzDeployment / az deployment create)?

[jpendyala]

I'm deploying it in the customer tenant using New-AzDeployment. I'm the GA in the customer tenant and owner on the subscription in the customer tenant.

I created a TemplateParameterFile by including my Principal ID and Reader Role Def ID in the authorizations section of the file.

[krnese]

Are you deploying it as a guest account, or a user belonging to the customer AAD?
Can you pls deploy it as a user originating from the customer AAD with Owner permission at scope?

[jpendyala]

I followed the Powershell steps mentioned in this document
https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer

I'm a user in customer AAD and I have owner permission at the subscription

[krnese]

Thanks. Can you please open a support ticket so we can investigate further?

[dorankerkhofs]

I experienced exactly the same issue.

i was connected with azure ad only (connect-azureAD).
When i connected to the azure account it worked (Connect-AzAccount).

Good Luck!

[jpendyala]

Let me try that
Thanks @dorankerkhofs

[krnese]

Did it work?

[0x113]

Sorry for reopening this, but I'm facing the same issue. I want to onboard user into my tenant. The user that executes the template, has a custom role, and he is not an Owner. The custom role has such permissions:

       "permissions": [
            {
                "actions": [
                    "Microsoft.Resources/deployments/read",
                    "Microsoft.Resources/deployments/write",
                    "Microsoft.Resources/deployments/delete",
                    "Microsoft.Resources/deployments/cancel/action",
                    "Microsoft.Resources/deployments/validate/action",
                    "Microsoft.Resources/deployments/operations/read",
                    "Microsoft.Resources/deployments/operationstatuses/read",
                    "Microsoft.Resources/deploymentScripts/read",
                    "Microsoft.Resources/deploymentScripts/write",
                    "Microsoft.Resources/deploymentScripts/delete",
                    "Microsoft.Resources/deploymentScripts/logs/read",
                    "Microsoft.ManagedServices/registrationDefinitions/write",
                    "Microsoft.ManagedServices/registrationAssignments/write",
                    "Microsoft.Resources/subscriptions/resourceGroups/write",
                    "Microsoft.Resources/deployments/whatIf/action",
                    "Microsoft.Resources/deployments/exportTemplate/action",
                    "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
                    "Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
                    "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
                    "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
                    "Microsoft.ManagedServices/register/action",
                    "Microsoft.ManagedServices/unregister/action",
                    "Microsoft.ManagedServices/marketplaceRegistrationDefinitions/read",
                    "Microsoft.ManagedServices/operations/read",
                    "Microsoft.ManagedServices/registrationAssignments/read",
                    "Microsoft.ManagedServices/registrationAssignments/delete",
                    "Microsoft.ManagedServices/registrationDefinitions/read",
                    "Microsoft.ManagedServices/registrationDefinitions/delete",
                    "Microsoft.ManagedServices/operationStatuses/read",
                    "Microsoft.ManagedIdentity/register/action",
                    "Microsoft.ManagedIdentity/operations/read",
                    "Microsoft.ManagedIdentity/identities/read",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/delete",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/listAssociatedResources/action",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/read",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/write"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]

I tried to deploy the template but I'm getting InsufficientPrivilegesForManagedServiceResource. For me, it looks like I do have enough permissions. Do I still need to have an "Owner" role for the deployment?