-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Insufficient privileges New-MgOauth2PermissionGrant_CreateExpanded error #96
Comments
Hi @jeevanions, I'll refer you to the prerequisites section of our documentation, which can be found here: https://azure.github.io/ipam/#/deployment/README?id=prerequisites The script is attempting to assign "Reader" at the Root Management Group, so whatever principal you're using to execute the script will need Hope that helps, if not we're always here for additional assistance, or even 1:1 support if required. |
Thank you for your quick reply. We have changed the scope to one of the subscriptions and the SP we use is the owner of the subscription. Is this solution only work with Management group scope? |
@DCMattyG Also we have two sub-management groups under the root management group. Could we set the scope to one of the child mgmt groups? |
At the moment, the "out of the box" deployment script targets the Root Management Group. That said, there are others whom have modified the script to target a child Management Group, so it can be done (See Discussion #90). Alternatively, you can manually assign the Engine App Registration as a Reader on those Management groups, and that should be sufficient. As always, happy to work closely with you to ensure success. I'm also open to feedback perhaps to add an additional deployment field to override the currently hard-coded scope of the script execution. |
Ok, there is a couple of feedback that I can think off.
|
Thanks for the feedback @jeevanions, my thoughts below:
|
@DCMattyG I managed to deploy the solution for one of the child management groups and used the two part deployment approach. The AppOnly option does throw error during Microsoft graph oAuth permission grant in 3 places. So I have commented out just these three places and requested our admin to perform a permission grant. Then used, the parameters file to deploy the infrastructure. Now the web UI is available to the whole directory. Is there a chance to allow users from a particular AD group to log in rather than users from the whole tenant? |
Hey there @jeevanions, at this moment there's no way within the Azure IPAM tool to strictly control user access. There is the construct of Admins/Non-Admins, and for non-admins, when they login to the Azure IPAM tool, the only things they are presented are what they can already see today within the Azure Portal itself because we're using their same AuthN/AuthZ to query Azure Resource Graph. There are two options here:
I'm more than open to your thoughts on this matter. Please let me know what you'd like to see as next steps. Thanks! |
I have started the deploy script for a POC, and I am stuck with this error.
We use SP with the necessary permission to log in from the command line, and we are not sure what permission to be given for the SP we use here. Any clue/suggestion?
The SP we use has restricted permission, so we definitely need to add more, but we are not sure which one.
The text was updated successfully, but these errors were encountered: