I’m trying to automate the process of creating an Azure Enterprise Application with Deployment Scripts, but I’m getting the error:
DeploymentScriptError: Insufficient privileges to complete the operation.
Does anyone know what kind of permissions I need and how I can add them through the ARM template?
This is my template so far:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {
"customRoleId": "[guid('deployment-script-minimum-privilege-for-deployment-principal')]"
},
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"entAppName": {
"type": "string",
"metadata": {
"description": "Name of the Enterprise Application"
}
},
"identityName": {
"type": "string",
"metadata": {
"description": "Name of the User Assigned Identity"
}
}
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"apiVersion": "2023-01-31",
"name": "[parameters('identityName')]",
"location": "[parameters('location')]"
},
{
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2022-04-01",
"name": "[variables('customRoleId')]",
"properties": {
"roleName": "deployment-script-minimum-privilege-for-deployment-principal",
"description": "Configure least privilege for the deployment principal in deployment script",
"type": "customRole",
"IsCustom": true,
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/*",
"Microsoft.ContainerInstance/containerGroups/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/deploymentScripts/*"
]
}
],
"assignableScopes": [
"[subscription().id]"
]
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(resourceGroup().id, variables('customRoleId'))]",
"properties": {
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('customRoleId'))]",
"principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')), '2023-01-31').principalId]"
},
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]",
"[resourceId('Microsoft.Authorization/roleDefinitions', variables('customRoleId'))]"
]
},
{
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2023-08-01",
"name": "runShellScript",
"location": "[parameters('location')]",
"kind": "AzureCLI",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]": {}
}
},
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]"
],
"properties": {
"azCliVersion": "2.9.1",
"scriptContent": "
az login --identity
# Create Enterprise Application
az ad app create --display-name $1
",
"arguments": "[parameters('entAppName')]",
"timeout": "PT5M",
"cleanupPreference": "OnSuccess",
"retentionInterval": "P1D"
}
}
]
}
New contributor
Woitek1993 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.