While doing remediation in Azure policy assignment getting below error

Sourabh sourabh 0 Reputation points
2024-03-18T17:58:12.0866667+00:00

While doing remediation in Azure policy getting error:

Evaluation of DeployIfNotExists policy was unsuccessful. The policy assignment '/providers/Microsoft.Management/managementGroups/eandmoney/providers/Microsoft.Authorization/policyAssignments/32a23ab6a3ab436c9f129377' resource identity does not have the necessary permissions to create deployment '/subscriptions/4124cc3b-3d5e-4bd9-9c5d-017607906f5c/resourceGroups/aro-eandmoney-uaenorth/providers/Microsoft.Resources/deployments/PolicyDeployment_6612570331883236635'. Please see https://aka.ms.rproxy.goskope.com/arm-policy-identity for usage details.

while policy Initiative have all rights- Monitoring contributor and Log analytics contributor.

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
793 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AnuragSingh-MSFT 19,936 Reputation points
    2024-03-19T04:56:57.5+00:00

    Sourabh sourabh, thank you for the question.

    Note that Policy and Initiatives are 2 different things - Policy helps to enforce organizational standards and to assess compliance at-scale whereas Initiatives are collection of policy.

    Regarding permissions, the initiative/policy does not have permission on its own. Instead, when you create DeployIfNotExists or similar policy, a managed identity is created and assigned to the Policy/Initiative assignment. This managed identity should have all the required permission to perform the operation/deployment as mentioned in the DeployIfNotExists block.

    Based on the error reported, there are certain operation (deployment) being performed using the DeployIfNotExists policy for which the required permissions are not assigned.

    Based on the information available in question, it is not clear what kind of deployment is being done using this policy. You may follow the steps below to get an idea of the required permission:

    1. In Azure Portal --> Policy --> Assignments
    2. Search for the specific assignment for which you are getting the error when creating the remediation task.
    3. Check the "Managed identity" tab for this assignment and relevant permissions. User's image

    As shown above, this tab will confirm the exact role assignment to the Managed Identity associated with the policy assignment.

    Then I would suggest reviewing the deployment block in the policy definition to understand what kind of deployment this policy is attempting. Depending on the deployment, it seems that the currently assigned permissions are not enough.

    Hope this helps.

    In case the response above does not help, I would suggest sharing the permissions assigned to the identity (as shown in the screenshot above) and the policy definition json file to help us review the type of deployment being attempted.

    0 comments