Azure-docs: InvalidRegistrationDefinitionCreateRequest with Owner Role
I'm trying to use my sample to add 3 roles definitions to a Tenant. I did before using just one and using the role of Contributor. Now, I'm trying using 3 roles: Owner, Reader and Contributor.
It seems like I'm having problem just with the Owner role.
First, I tried like that:
authorizations': {'value' : [{'principalId': '{ownerGroup}','principalIdDisplayName': '{ownerGroupName}','roleDefinitionId': '8e3af657-a8ff-443c-a75c-2fe8c4bcb635'},{'principalId': '{readerGroup}','principalIdDisplayName': '{readerGroupName}','roleDefinitionId': 'acdd72a7-3385-48ef-bd42-f606fba81ae7'},{'principalId': '{contributorGroup}','principalIdDisplayName': '{contributorGroupName}','roleDefinitionId': 'b24988ac-6180-42a0-ab88-20f7382dd24c'}]
And I received this error message:
Deployment failed. Correlation ID: fdc75020-b4a8-4278-8907-cb33477aa4f8. {
"error": {
"code": "InvalidRegistrationDefinitionCreateRequest",
"message": "The role definition '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' is restricted for registration definition '585f54b5-6119-50ee-9399-09bab30e3a04'. Restricted role definitions are '8e3af657-a8ff-443c-a75c-2fe8c4bcb635;18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'."
}
}
After that, I tried like that, using Delegated Role Definitions:
authorizations': {'value' : [{'principalId': '{ownerGroup}','principalIdDisplayName': '{ownerGroupName}','roleDefinitionId': '8e3af657-a8ff-443c-a75c-2fe8c4bcb635', 'delegatedRoleDefinitionIds' : ['585f54b5-6119-50ee-9399-09bab30e3a04']},{'principalId': '{readerGroup}','principalIdDisplayName': '{readerGroupName}','roleDefinitionId': 'acdd72a7-3385-48ef-bd42-f606fba81ae7'},{'principalId': '{contributorGroup}','principalIdDisplayName': '{contributorGroupName}','roleDefinitionId': 'b24988ac-6180-42a0-ab88-20f7382dd24c'}]
And now I'm receiving this error message:
Deployment failed. Correlation ID: a8b518be-6e70-4479-9c0a-70186af291a2. {
"error": {
"code": "InvalidRegistrationDefinitionCreateRequest",
"message": "The assignable roles are supported only with the role definition 'User Access Administrator'. Update the role definition in the plan's manifest."
}
}
Can someone guide me here? Where I'm losing myself?
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 85dc331a-0f34-f9a2-43d9-8ab7e0e635c6
- Version Independent ID: 96c07c81-f84c-f47b-659c-b3d055aefb03
- Content: Onboard a customer to Azure delegated resource management - Azure Lighthouse - Azure Lighthouse
- Content Source: articles/lighthouse/how-to/onboard-customer.md
- Service: lighthouse
- GitHub Login: @JnHs
- Microsoft Alias: jenhayes
lcarli
All 6 comments
@lcarli Thank you for your question. Can you please share with us the URL of the doc that you are having issues with?
Please note that we scope issues on this repro to feedback related to the docs. If you have a product question, please post it on MSDN or Stack Overflow. Thank you for your understanding.
BryanTrach-MSFT
on 28 Aug 2019
Hi, @BryanTrach-MSFT! For sure!
I used this one:
https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer#create-an-azure-resource-manager-template
It runs perfectly with Contributor or Reader roles but not with Owner role
lcarli
on 28 Aug 2019
Hi there - the Owner role actually can't be added. Per the note at the top of the doc: "All built-in roles are currently supported with Azure delegated resource management except for Owner and any built-in roles with DataActions permission. "
JnHs
on 28 Aug 2019
Oh, gosh. My fault! Sorry about that.
Is there any further information about when we will can do that?
lcarli
on 28 Aug 2019
I don't have any info on that, but I'd encourage you to add your support for that suggestion (or any others) on our UserVoice page: https://feedback.azure.com/forums/922753
I'll go ahead and close this issue now, but please let us know if you have further questions about this page or others. Thanks! #please-close
JnHs
on 28 Aug 2019
Just to help anyone:
We can add as User Access Administrator and delegate to Contributor. Its like the same thing.
Thanks everybody
lcarli
on 28 Aug 2019
Related issues
JeffLoo-ong
·
3Comments
Favna
·
3Comments
jebeld17
·
3Comments
bdcoder2
·
3Comments
ianpowell2017
·
3Comments
Most helpful comment
Just to help anyone:
We can add as User Access Administrator and delegate to Contributor. Its like the same thing.
Thanks everybody