My customer recently ran into this problem, which will come up when you try to configure your environment properly i.e. create a resource group and give only the required access to the resources in your organisation, following the principle of least privilege. The structure looks like below-
What’s going on here?
Objective: Anthony is a subscription admin and he wants to ensure a role based access control in applied to the resource groups. He takes the following steps to achieve this-
- He creates a resource group called A and give a ‘contributor’ access to the user called ‘Ben’.
- He then informs Ben to go ahead start using the resource group for the project.
- Ben logs into the portal with his credentials and try to create the resource.
- Resource creation fails with the error which looks like below- Registering the resource providers has failed. Additional details from the underlying API that might be helpful: ‘AuthorizationFailed’ – The client firstname.lastname@example.org’ with object id ‘b8fe1401-2d54-4fa2-b2dd-26c0b8eb69f9’ does not have authorization to perform action ‘Microsoft.Compute/register/action’ over scope ‘/subscriptions/dw78b73d-ca8e-34b9-89f4-6f716ecf833e’. (Code: AuthorizationFailed)
This will stump most of the people as expected. Why? because if you have the contributor access to a resource group, surely, you can create a resource e.g. a virtual machine. What went wrong here- Carefully at the error message and focus on ‘Microsoft.Compute/register/action’ over scope ‘/subscriptions/dw78b73d-ca8e-34b9-89f4-6f716ecf833e’. What does this say? it’s not the authorisation error to create a resource, it is the authorisation error to register a resource provider. This is expected, we don’t want a resource group level identity to register/unregister the resource providers at the subscription level. So how do we solve it? Option 1
- Log into Azure with an identity which has a subscription level access to register a resource provider e.g. admin/owner.
- Using PowerShell (PoSh) register the resource providers you need at the subscription level. You can also see which providers are available and registered already. Sample script is given below-
Login-AzureRmAccount $subscriptionId= "<Subscription Id>" Select-AzureRmSubscription -SubscriptionId $subscriptionId #List all available providers and register them Get-AzureRmResourceProvider -ListAvailable | Register-AzureRmResourceProvider
- Let the subscription admin/owner create the resource e.g. a VM.
- This will implicitly register the resource provider for the resources created.
Hope this was helpful.
I’ll be talking to the engineering to see if we can improve this user experience.