Missing permissions on Datacollection rules for Policy MI

[sandorhofman]

What happened? Provide a clear and concise description of the bug, including deployment details.

I deployed ALZ-Bicep v0.18.0 with the default policy assignments. It created DCR's and a UMI in the management subscription. After deploying a VM in a Online subscription I get policy deployment errors.

The reason for this behaviour is that the DCR is in the platform management group while the policy assignment is on the landingzone management group. The managed identy from the landingzone group has no permissions for the datacollection rules in the management subscription. The same thing is happening for ChangeTracking and UMI assignments.

Please provide the correlation id associated with your error or bug.

c449650d-4e60-4919-a907-9db4811ac4a3

What was the expected outcome?

Creation of a DataCollectionRule Association between the Azure Monitor Agent and the DCR in the Management Subscription.

Relevant log output

The client 'app-id of policy MI' with object id '...' has permission to perform action 'Microsoft.Insights/dataCollectionRuleAssociations/write' on scope '/subscriptions/...onlinesubguid..../resourcegroups/vm-online/providers/Microsoft.Compute/virtualMachines/vm-online/providers/Microsoft.Insights/dataCollectionRuleAssociations/assoc-55mf2y3zlwzjc'; however, it does not have permission to perform action(s) 'Microsoft.Insights/dataCollectionRules/read' on the linked scope(s) '/subscriptions/...mgmt subscription.../resourceGroups/alz-mg-p-rg001/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr' (respectively) or the linked scope(s) are invalid. (Code: LinkedAuthorizationFailed)

Check previous GitHub issues

• I have searched the issues for this item and found no duplicate

Code of Conduct

• I agree to follow this project's Code of Conduct

[jtracey93]

tagging @arjenhuitema for awareness and oversight on all things AMA.

Is there something missing from an RBAC role assignment perspective in ALZ Bicep @arjenhuitema that @oZakari can add?

[arjenhuitema]

It looks like the Managed Identity of the policy assignments within the Landing Zone scope lacks Reader and Managed Identity Operator permissions on the Platform, which are necessary to access the DCRs and assign the UAMI. I’ve put together a table that shows which permissions are needed for each policy assignment and shared that with @oZakari

[bgawale]

we ran into the similar issue today and founds this thread. @arjenhuitema @oZakari could you share that table of permissions here if it hasn't been published elsewhere?

[oZakari]

Hey @bgawale and @sandorhofman,

Sorry for the delay. This has been on my radar and something I will be working on hopefully fixing in the next couple of days.

Essentially, the managed identity of the assignment on the Landing Zone scope needs the following permissions:

Policy	Permissions	Scope for permissions
Change Tracking Arc/ Hybrid	Reader	Platform/Landing Zones
Change Tracking VM	Reader, ManagedIdentityOperator	Platform/Landing Zones
Change Tracking VMSS	Reader, ManagedIdentityOperator	Platform/Landing Zones
MDfC Defender SQL AMA	Reader, ManagedIdentityOperator	Platform/Landing Zones
VM Monitoring Arc/ Hybrid	Reader	Platform/Landing Zones
VM Monitoring VM	Reader, ManagedIdentityOperator	Platform/Landing Zones
VM Monitoring VMSS	Reader, ManagedIdentityOperator	Platform/Landing Zones

[sandorhofman]

I have deployed again using v0.20.1 but the permissions are still not assigned.