This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 79%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
resource identity does not have the necessary permissions to create deployment - Policy deployment fails when I run remediation task
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 39%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Vignesh Kumar R Hope the information provided is helpful. Kindly revert if you have further questions.
@Vignesh Kumar R When Azure Policy starts a template deployment when evaluating deployIfNotExists policies or modifies a resource when evaluating modify policies, it does so using a managed identity that is associated with the policy assignment. Policy assignments use managed identities for Azure resource authorization. You can use either a system-assigned managed identity that is created by the policy service or a user-assigned identity provided by the user. The managed identity needs to be assigned the minimum role-based access control (RBAC) role(s) required to remediate resources.
Kindly make sure you have provided necessary permissions to the managed identity that is associated with the policy assignment. For more information, you can refer this document.
Thanks for your help . I have added necessary permissions to the managed identity but still I see the remediation task fail . Policyrule.txtManaged identity I created inherited all the roles I had like contributor, resource policy contributor, log and monitoring contributor . Error : resource identity does not have the necessary permissions to create deployment
@Vignesh Kumar R Thanks for sharing the policy rule. From the policy definition, I noticed that you have just provided resource policy contributor role which only creates or modifies the policies but doesn't have permission to deploy. In highlighted section of below image, I would suggest you add necessary permissions required for deployment of resources.
I added all the 4 roles to the definition and created user assigned managed identity and tried with system assigned managed identity , but remediation task still fails with the same authentication error
@Vignesh Kumar R I have reached out to you via private message to further troubleshoot the issue. Please do respond over private message.
@Vignesh Kumar R You need to have user access administrator role in order to assign necessary permissions for managed identity on deployIfNotExists or modify assignments.
@Vignesh Kumar R Hope the provided solution is helpful. Kindly revert if you have further questions.
Hi , Could you please suggest any alternative ideas to get this done as I understand "User access administrator" role cannot be assigned to developers . I can request for other roles except owner and user access administrator role .
@Vignesh Kumar R You can assign necessary permissions to user managed identity separately from access control at required scope and use the same managed identity when assigning the policy. So that even though no permissions will be assigned when deployment as it will have the required permissions. The deployment goes through. Kindly try this and let me know if you face any issue.
@Vignesh Kumar R Kindly Accept As Answer if the provided solution is helpful.
Hi, I am facing issues creating remediation task using terraform v0.12 and Azure provider version 2.99 . Can you please let me know whether the versions that I use support "Azure subscription policy remediation" task .
@Vignesh Kumar R For the sake of other readers though, it helps to limit each thread to a single question so that people with similar issues can easily find the answers they are looking for. I would suggest you open as a separate question. Thanks.