I'm trying to create Management Groups using the Azure Landing Zones bicep template as follows:
az deployment tenant create --location westeurope --template-file managementGroups.bicep
However, I'm getting the following error:
The client 'xxx' with object id 'yyy' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/providers/Microsoft.Resources/deployments/managementGroups' or the scope is invalid.
For deployment I'm using a dedicated service principal (AAD Application Registration), which has an "Owner" role assigned at the level of the "Tenant Root Group" management group.
I also tried creating a custom RBAC role with action 'Microsoft.Resources/deployments/validate/action' and scope '/providers/Microsoft.Resources/deployments/managementGroups' but it's invalid. It only allows the scope '/providers/Microsoft.Resources/deployments/managementGroups/id-of-root-mg'.
What is strange is that when I execute the template using my personal account (not aad application), which also is an Owner at the "Tenant Root Group", then it works.
At the management group level, give your service principal the
Ownerrole to grant it the necessary permissions to deploy theBiceptemplate.And also, you can create a
custom roleand assign the appropriatepermissionsas you already did. Instead of deploying it through the template or Portal, try usingAzure Powershellas shown below.Refer this article by @CODING WITH TAZ for better understanding of bicep template for creating and deploying the management groups.
Regarding this issue, Check if any restrictions or firewalls are being blocked for deployments by other tenant roots in the same subscription. Check with the administrator for the restricted privileges.