Skip to content

Commit

Permalink
Update - Microsoft.Management missing from Subscription during Initia…
Browse files Browse the repository at this point in the history
…lize (#871)

* Adding additional information for Azure Resource Provider prereq

* adding Management groups not showing up in repo to faq

* Correcting spelling mistake

* Adding a string match for insufficient permissions

* Adding error message for insufficient permissions

* Update

* Update Prerequisites.md

Changing from "Registered" to "Register".

---------

Co-authored-by: sebastian claesson <[email protected]>
Co-authored-by: Jesper Fajers <[email protected]>
  • Loading branch information
3 people authored Apr 3, 2024
1 parent f3b5da7 commit 02c19f0
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 2 deletions.
13 changes: 13 additions & 0 deletions docs/wiki/Frequently-Asked-Questions.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ This article answers frequently asked questions relating to AzOps.
- [AzOps FAQ](#azops-faq)
- [In this Section](#in-this-section)
- [Subscriptions or resources not showing up in repository](#subscriptions-or-resources-not-showing-up-in-repository)
- [Management groups not showing up in repository](#management-groups-not-showing-up-in-repository)
- [Push fail with deployment already exists in location error](#push-fail-with-deployment-already-exists-in-location-error)
- [Does AzOps use temporary files](#does-azops-use-temporary-files)
- [Pull fail with active pull request already exists error](#pull-fail-with-active-pull-request-already-exists-error)
Expand Down Expand Up @@ -39,6 +40,18 @@ Remove the invalid resource or character and retry the operation.

A common example of invalid characters preventing successful operations in AzOps is with [Visual Studio Enterprise](https://azure.microsoft.com/en-us/pricing/offers/ms-azr-0063p/) based subscriptions. The default resource name of said subscriptions contains the "``" [EN DASH](https://www.cogsci.ed.ac.uk/~richard/utf-8.cgi?input=2013&mode=hex) character. Example: `visual studio enterprise subscription – mpn`.

## Management groups not showing up in repository

If the [Microsoft.Management](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-services-resource-providers#management-resource-providers) resource provider is not registered in the subscription where AzOps is initialized, AzOps is unable to list and create the folder structure for the management group hierarchy.

To confirm if this applies to you, check the pipeline logs for the following message:

```powershell
[Initialize-AzOpsEnvironment] No management group access
```

Resolve this by registering the `Microsoft.Management` [resource provider](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in the Azure Subscription or assign AzOps the permissions to perform the ```/register/action``` operation for the resource provider.

## Push fail with deployment already exists in location error

If you have changed `"Core.DefaultDeploymentRegion":` from the default `northeurope` post initial setup, subsequent Push/Deployments might fail with an error as below:
Expand Down
2 changes: 2 additions & 0 deletions docs/wiki/Prerequisites.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ AzOps pipelines can use either a Service Principal, or a Managed Identity if run
- Assign Azure `Owner` role at the required scope to the Service Principal/Managed Identity
- Add Service Principal/Managed Identity to Azure AD `Directory Readers` role

> Note: Discovering Management groups requires the registration of the Azure resource provider `Microsoft.Management` in the Azure Subscription where AzOps is initialized. AzOps will attempt to [register](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) `Microsoft.Management` if it's not already registered. If AzOps encounters any issues during this process, kindly ensure to manually register the resource provider.
The Azure Active Directory [Directory Readers](https://learn.microsoft.com/azure/active-directory/roles/permissions-reference#directory-readers) role is required to discover Azure 'roleAssignments'. These permissions are used to enrich data around the role assignments with additional Azure AD context such as `ObjectType` and Azure AD object `DisplayName`.

> Theses steps require PowerShell 7 and _Az.Accounts_, _Az.Resources_, _Microsoft.Graph.Applications_ and _Microsoft.Graph.Identity.DirectoryManagement_ modules, they will be installed.
Expand Down
2 changes: 1 addition & 1 deletion src/functions/Initialize-AzOpsEnvironment.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@
$managementGroups = Get-AzManagementGroup -ErrorAction Stop
}
catch {
Write-AzOpsMessage -LogLevel Warning -LogString 'Initialize-AzOpsEnvironment.ManagementGroup.NoManagementGroupAccess'
Write-AzOpsMessage -LogLevel Warning -LogString 'Initialize-AzOpsEnvironment.ManagementGroup.NoManagementGroupAccess' -LogStringValues $_
return
}

Expand Down
2 changes: 1 addition & 1 deletion src/localized/en-us/Strings.psd1
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@
'Initialize-AzOpsEnvironment.ManagementGroup.NoRootPermissions' = 'Principal {0} does not have permissions under / in tenant, enabling partial discovery' # $currentAzContext.Account.Id
'Initialize-AzOpsEnvironment.ManagementGroup.PartialDiscovery' = 'Executing partial discovery' #
'Initialize-AzOpsEnvironment.ManagementGroup.Resolution' = 'Resolving {0} management groups' # $managementGroups.Count
'Initialize-AzOpsEnvironment.ManagementGroup.NoManagementGroupAccess' = 'No management group access, discovery will happen from subscription scope(s)'
'Initialize-AzOpsEnvironment.ManagementGroup.NoManagementGroupAccess' = 'No management group access, failed with: {0}, discovery will happen from subscription scope(s)' # $_
'Initialize-AzOpsEnvironment.Processing' = 'Processing AzOps environment' #
'Initialize-AzOpsEnvironment.Processing.Completed' = 'AzOps environment initialization concluded' #
'Initialize-AzOpsEnvironment.ThrottleLimit.Adjustment' = 'Adjusting AzOps.Core.ThrottleLimit from {0} to 5 due to available CPU Cores ({1}) to ensure reliable and performant pipeline execution. For further details, refer to: https://github.com/azure/azops/wiki/performance-considerations' # $throttleLimit, $cpuCores
Expand Down

0 comments on commit 02c19f0

Please sign in to comment.