Registered application not able to update VM sizes.

Aditya Nath 1 Reputation point
2021-03-23T20:07:11.753+00:00

Hi There,

I built a small script capable of updating VM os disk size by getting the Vm and then updating the Hardware profile accordingly. The registered application has "Virtual Machine Contributor" role assigned for the scope of the VM used here. 

Connect-AzureRmAccount -TenantId $tenantId -CertificateThumbprint $certificateThumbprint -ApplicationId $applicationId -ServicePrincipal   
Get-AzureRmSubscription | Where-Object {$_.Id -eq $subscriptionId} | Set-AzureRmContext   
$vm = Get-AzureRmVm -ResourceGroupName $resourceGroupName -Name $vmName   
$vm   
$vm.HardwareProfile.VmSize   
$vm.HardwareProfile.VmSize = $diskName   
Update-AzureRmVm -VM $vm -ResourceGroupName $resourceGroupName

On revisiting the script I'm seeing that it fails to propagate the changes with the following reason: 

... however, it does not have permission to perform action    
'Microsoft.Network/networkInterfaces/join/action' on the linked scope(s)...

This error keeps coming with different connected components. It seems to be needing permissions to all the linked components, like NIC, OS disk and Data disks. Has there been any recent update which I'm missing? or was it bad from the start?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,129 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,472 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andreas Baumgarten 96,361 Reputation points MVP
    2021-03-23T21:09:57.65+00:00

    Hi @Aditya Nath ,

    First of all, even if it's maybe not the reason I would recommend not to use the AzureRM module. Instead use the AZ module.

    Maybe it's possible to change the role assignment to "Contributor" just for testing if this solves the issue.

    Another option for testing is:
    Create a new user with "Virtual Machine Contributor" role assigned and give it a try with the script.

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

    0 comments
  2. TravisCragg-MSFT 5,676 Reputation points Microsoft Employee
    2021-03-23T21:11:52.907+00:00

    The 'Virtual Machine Contributor Role' should have access to join a Network Interface. You can find an exact definition of this role Here.

    I would start by verify that the registered application has the role over the Subscription or Resource Group that you are receiving these errors on.

    0 comments