question

AdityaNath-1817 avatar image
0 Votes"
AdityaNath-1817 asked TravisCragg-MSFT answered

Registered application not able to update VM sizes.

Hi There,

I built a small script capable of updating VM os disk size by getting the Vm and then updating the Hardware profile accordingly. The registered application has "Virtual Machine Contributor" role assigned for the scope of the VM used here.

Connect-AzureRmAccount -TenantId $tenantId -CertificateThumbprint $certificateThumbprint -ApplicationId $applicationId -ServicePrincipal   
Get-AzureRmSubscription | Where-Object {$_.Id -eq $subscriptionId} | Set-AzureRmContext   
$vm = Get-AzureRmVm -ResourceGroupName $resourceGroupName -Name $vmName   
$vm   
$vm.HardwareProfile.VmSize   
$vm.HardwareProfile.VmSize = $diskName   
Update-AzureRmVm -VM $vm -ResourceGroupName $resourceGroupName

On revisiting the script I'm seeing that it fails to propagate the changes with the following reason:

... however, it does not have permission to perform action    
'Microsoft.Network/networkInterfaces/join/action' on the linked scope(s)...

This error keeps coming with different connected components. It seems to be needing permissions to all the linked components, like NIC, OS disk and Data disks. Has there been any recent update which I'm missing? or was it bad from the start?


azure-virtual-machinesazure-ad-app-registration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered

Hi @AdityaNath-1817 ,

First of all, even if it's maybe not the reason I would recommend not to use the AzureRM module. Instead use the AZ module.

Maybe it's possible to change the role assignment to "Contributor" just for testing if this solves the issue.

Another option for testing is:
Create a new user with "Virtual Machine Contributor" role assigned and give it a try with the script.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TravisCragg-MSFT avatar image
0 Votes"
TravisCragg-MSFT answered

The 'Virtual Machine Contributor Role' should have access to join a Network Interface. You can find an exact definition of this role Here.

I would start by verify that the registered application has the role over the Subscription or Resource Group that you are receiving these errors on.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.