Azure Ligthouse User Access Admin group not working

Question

Azure Ligthouse User Access Admin group not working

ObnoxiousRicotta 5

In Azure AD I am assigned to an Azure Lighthouse group that is supposed to give me the 'User Access Administrator' role to all subscriptions from another tenant that is enrolled in Lighthouse. When I view my access on the subscriptions, I can see that my user has the 'User Access Administrator' role assigned.

I am trying to assign the reader role to a managed identity (MI) within the other tenant's subscription, but I get this error message: "Failed to add <MI name> as Reader for <subscription name>: The client <client> with object id <object id> does not have authorization or an ABAC condition not fulfilled to perform action 'Microsoft.Authorization/roleAssignments' over scope <subscription scope> or the scope is invalid. If access was recently granted, please refresh your credentials.."

I have tried to do it with Azure CLI and Azure PS as well, but I get the same error message.

This is the condition that is set on the role assignment of the Azure AD group:

@Action[Id] StringNotEqualsAnyOfIgnoreCase {'Microsoft.Authorization/roleAssignments/write', 'Microsoft.Authorization/roleAssignments/delete'} || (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] StringEqualsAnyOfIgnoreCase { 'b24988ac-6180-42a0-ab88-20f7382dd24c','acdd72a7-3385-48ef-bd42-f606fba81ae7' } && EXISTS @Resource[Microsoft.Authorization/roleAssignments:DelegatedManagedIdentityResourceId] && @Resource[Microsoft.Authorization/roleAssignments:DelegatedManagedIdentityResourceId] StringNotEqualsIgnoreCase '')

Do I get the error because of this condition? Or is there something else that I don't know about?

Thanks

JamesTran-MSFT 37,241 Reputation points Microsoft Employee Moderator

2023-05-19T17:37:25.89+00:00

@ObnoxiousRicotta

I wanted to check in and see if you had any other questions or if the answers below helped to resolve your issue? I also noticed that your recent experience was not helpful, and to better improve our processes and learn from our customers, I'm eager to know what could have been done better.

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

3 answers

Your answer

JamesTran-MSFT 37,241 Reputation points Microsoft Employee Moderator

2023-05-19T17:37:25.89+00:00

@ObnoxiousRicotta

I wanted to check in and see if you had any other questions or if the answers below helped to resolve your issue? I also noticed that your recent experience was not helpful, and to better improve our processes and learn from our customers, I'm eager to know what could have been done better.

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Luciano Pereira 0

I'm having the exact same issue. And I'm also wondering if the condition created in the User Access Administrator role assignment is correct, since it shows an error in the Azure Portal.

User's image

In case the condition's syntax is not correct. Then it seems like there is a bug when creating a Lighthouse offer with User Access Administrator role assignment that includes delegated role definitions

@ObnoxiousRicotta Did you have any luck solving this issue?

ObnoxiousRicotta 5 Reputation points

2023-06-13T19:02:44.99+00:00

No luck here. What I did was leverage the admin privileges through Microsoft Partner Center where possible and assigned roles that way.
McHu 0 Reputation points

2023-07-31T04:52:34.1466667+00:00

i have this exact issue also, everything looks ok until you try to use the permission or check the condition syntax. deploying lighthouse delegations via bicep/ARM templates using the latest API (older APIs have the same result)
McHu 0 Reputation points

2023-08-01T00:30:50.7966667+00:00

TT

The documentation doesn't really make it obvious that it's only available to these storage roles. sort of just that there are limits to the storage roles. anyway, feels like it's unsupported for User Access Administrator even though the API messaging tells you this ABAC condition needs to be configured.

'18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' // User Access Administrator

McHu 0

i reformatted the condition in the code editor so it no longer has any validation errors.

for eg.

(
 (
  !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
  OR
  !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
 )
 AND 
 (
  @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ab8e14d6-4a74-4a29-9ba8-549422addade', 'b24988ac-6180-42a0-ab88-20f7382dd24c', '92aaf0da-9dab-42b6-94a3-d43ce8d16293'}
  AND ( EXISTS @Resource[Microsoft.Authorization/roleAssignments:DelegatedManagedIdentityResourceId] )
  AND ( @Resource[Microsoft.Authorization/roleAssignments:DelegatedManagedIdentityResourceId] StringNotEqualsIgnoreCase '')
 )
)

Osejobe Ehichoya 0 Reputation points

2024-07-24T18:07:04.0333333+00:00

Anyone managed to solve this? facing a similar issue.

Formatting the existing condition does not work as it is read-only.
Osejobe Ehichoya 0 Reputation points

2024-07-24T18:10:34.2166667+00:00

@Luciano Pereira did you manage to get a solution to this?
Marco Voorwinden | Twyzer 0 Reputation points

2025-05-21T09:33:09.6066667+00:00

Did anyone manage to solve this problem, because we are bumping into the same.

Answer 2

Sandeep G-MSFT 21,136 Microsoft Employee Moderator

@ObnoxiousRicotta

As per prerequisites for assigning a role to managed Identity, you just need below permission,

Microsoft.Authorization/roleAssignments/write permissions, such as User Access Administrator or Owner

however, as per your description you already have this permission set on your account.

You can confirm once again and check if your account has above permission listed in roles.

You can use below command to confirm the same,

Get-AzRoleAssignment -SignInName ******@contoso.com

Above command will get all role assignments made to user ******@contoso.com, and the groups of which he is member.

Let me know if above solution helps you.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

JamesTran-MSFT 37,241 Reputation points Microsoft Employee Moderator

2023-05-22T17:27:23.5766667+00:00

@ObnoxiousRicotta

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 3

Andrew Blumhardt 10,071 Microsoft Employee

I think you need to be a Managed Identity Operator instead.

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#managed-identity-operator

0 comments

Share via

Azure Ligthouse User Access Admin group not working

3 answers

Your answer