question

MuralidharKumar-6346 avatar image
0 Votes"
MuralidharKumar-6346 asked sikumars-msft commented

error when running Get-AzManagementGroup PowerShell Command from Azure function

I have a requirement to check if Management Group exists or not and then I have to create a new management group based on it. Below is my script


$myManagementGroupName = 'NewGroup'
$parentManagementGroup ='Dev'
$Message = ''
if(($parentManagementGroup -eq "") -and ($myManagementGroupName -ne "")) #Create Management Group inside Root Management Group
{
Get-AzManagementGroup -GroupName $myManagementGroupName -ErrorVariable notPresent -ErrorAction SilentlyContinue

 if ($notPresent)
 {
     #Create unique Management Group
     New-AzManagementGroup -GroupName $myManagementGroupName
     $Message = 'Management Group '+$myManagementGroupName+' created successfully !'
 }
 else
 {
     # Management Group exist
     $Message = 'The Group with specified name already exist!'
 }

}
elseif(($parentManagementGroup -ne "") -and ($myManagementGroupName -ne "")) #Create Management Group inside specific Management Group
{
$parentGroup = Get-AzManagementGroup -GroupName $myManagementGroupName
$targetParentGroup = Get-AzManagementGroup -GroupName $parentManagementGroup
if(($parentGroup.ParentName -ne $parentManagementGroup))
{
#Create unique child Management Group
$GroupId = New-Guid
New-AzManagementGroup -GroupName $GroupId -DisplayName $myManagementGroupName -ParentId $targetParentGroup.Id
$Message = 'Management Group '+$myManagementGroupName+' created successfully !'
}
else
{
# Management Group exist
$Message = 'The Management Group ' +$myManagementGroupName+' already exist in '+$parentManagementGroup+' Management Group'
}

}
else{
#Notify user about groupname should not be empty
$Message = 'Please provide Management GroupName !'
}
Echo $Message

If I run this script manually from my laptop, it is working where as If I run the script from Azure function I am getting below error.

[Error] ERROR: The client 'XXXXXX-XXX-XXXX-XXXX-XXXXXXXXX' with object id 'XXXXXX-XXXXX-XXXXXXXXXXX' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management/managementGroups/Newgroup' or the scope is invalid.

After this, I would like to create a new subscription and assign it to this newly created management group.
How to assign permission to Azure function only while running the script.

Kindly let us know how to execute this function with the required permission.

azure-active-directoryazure-functions
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MuralidharKumar-6346,
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks,

0 Votes 0 ·

1 Answer

sikumars-msft avatar image
2 Votes"
sikumars-msft answered

Hello @MuralidharKumar-6346,

Thanks for reaching out.

Can you please check if the right permissions have been granted to the client ID you are using to run the PowerShell cmdlet. You need Management Group Reader/Management Group Contributor role to access the management group.

You can go to your management group to verify if The client 'XXXXXX-XXX-XXXX-XXXX-XXXXXXXXX' with object id 'XXXXXX-XXXXX-XXXXXXXXXXX' have been granted as shown, if not then click on "Add" to assign either of Reader or Contributor role. Hope this helps.

131837-image.png

Here is similar post from Microsoft Q&A.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (79.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.