Skip to content

Commit

Permalink
Update
Browse files Browse the repository at this point in the history
  • Loading branch information
Jefajers authored Apr 2, 2024
1 parent 35da0e8 commit 61f3e8c
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 10 deletions.
11 changes: 9 additions & 2 deletions docs/wiki/Frequently-Asked-Questions.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,15 @@ A common example of invalid characters preventing successful operations in AzOps

## Management groups not showing up in repository

If the [Microsoft.Management](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-services-resource-providers#management-resource-providers) resource provider is not registered in the subscription where AzOps is initialized, the engine is unable to list and create the correct folder structure for the management group hierarchy.
Proceed to manually [register the Microsoft.Management resource provider](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in the Azure Subscription or assign the AzOps Service Principal the permissions to perform the ```/register/action``` operation for the resource provider. The permission is included in the Contributor and Owner roles.
If the [Microsoft.Management](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-services-resource-providers#management-resource-providers) resource provider is not registered in the subscription where AzOps is initialized, AzOps is unable to list and create the folder structure for the management group hierarchy.

To confirm if this applies to you, check the pipeline logs for the following message:

```powershell
[Initialize-AzOpsEnvironment] No management group access
```

Resolve this by registering the `Microsoft.Management` [resource provider](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in the Azure Subscription or assign AzOps the permissions to perform the ```/register/action``` operation for the resource provider.

## Push fail with deployment already exists in location error

Expand Down
2 changes: 1 addition & 1 deletion docs/wiki/Prerequisites.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ AzOps pipelines can use either a Service Principal, or a Managed Identity if run
- Assign Azure `Owner` role at the required scope to the Service Principal/Managed Identity
- Add Service Principal/Managed Identity to Azure AD `Directory Readers` role

> Note: Listing Management groups requires that the Azure Resource Provider [Microsoft.Management](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-services-resource-providers#management-resource-providers) is [registered in the Azure Subscription](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) where AzOps is initialized, this will occur automatically if the Service Principal for AzOps have the correct permissions. Otherwise the Microsoft.Management provider will have to be registered manually. The permission to register Resource providers are included in the Owner and Contributor roles.
> Note: Discovering Management groups requires the registration of the Azure resource provider `Microsoft.Management` in the Azure Subscription where AzOps is initialized. AzOps will attempt to [registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) `Microsoft.Management` if it's not already registered. If AzOps encounters any issues during this process, kindly ensure to manually register the resource provider.
The Azure Active Directory [Directory Readers](https://learn.microsoft.com/azure/active-directory/roles/permissions-reference#directory-readers) role is required to discover Azure 'roleAssignments'. These permissions are used to enrich data around the role assignments with additional Azure AD context such as `ObjectType` and Azure AD object `DisplayName`.

Expand Down
7 changes: 2 additions & 5 deletions src/functions/Initialize-AzOpsEnvironment.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -119,11 +119,8 @@
$managementGroups = Get-AzManagementGroup -ErrorAction Stop
}
catch {
if ($_.Exception.Message -match 'does not have authorization to perform action ''Microsoft.Management/register/action''') {
Write-AzOpsMessage -LogLevel Warning -LogString 'Initialize-AzOpsEnvironment.ManagementGroup.InsufficientPermissions'
} else {
Write-AzOpsMessage -LogLevel Warning -LogString 'Initialize-AzOpsEnvironment.ManagementGroup.NoManagementGroupAccess'
}
Write-AzOpsMessage -LogLevel Warning -LogString 'Initialize-AzOpsEnvironment.ManagementGroup.NoManagementGroupAccess' -LogStringValues $_
return
}

#region Validate root '/' permissions - different methods of getting current context depending on principalType
Expand Down
3 changes: 1 addition & 2 deletions src/localized/en-us/Strings.psd1
Original file line number Diff line number Diff line change
Expand Up @@ -157,8 +157,7 @@
'Initialize-AzOpsEnvironment.ManagementGroup.NoRootPermissions' = 'Principal {0} does not have permissions under / in tenant, enabling partial discovery' # $currentAzContext.Account.Id
'Initialize-AzOpsEnvironment.ManagementGroup.PartialDiscovery' = 'Executing partial discovery' #
'Initialize-AzOpsEnvironment.ManagementGroup.Resolution' = 'Resolving {0} management groups' # $managementGroups.Count
'Initialize-AzOpsEnvironment.ManagementGroup.NoManagementGroupAccess' = 'No management group access, discovery will happen from subscription scope(s)'
'Initialize-AzOpsEnvironment.ManagementGroup.InsufficientPermissions' = 'Insufficient permissions to register the ''Microsoft.Management'' resource provider. Register the resource provider manually or assign the Service Principal the Owner or Contributor role.'
'Initialize-AzOpsEnvironment.ManagementGroup.NoManagementGroupAccess' = 'No management group access, failed with: {0}, discovery will happen from subscription scope(s)' # $_
'Initialize-AzOpsEnvironment.Processing' = 'Processing AzOps environment' #
'Initialize-AzOpsEnvironment.Processing.Completed' = 'AzOps environment initialization concluded' #
'Initialize-AzOpsEnvironment.ThrottleLimit.Adjustment' = 'Adjusting AzOps.Core.ThrottleLimit from {0} to 5 due to available CPU Cores ({1}) to ensure reliable and performant pipeline execution. For further details, refer to: https://github.com/azure/azops/wiki/performance-considerations' # $throttleLimit, $cpuCores
Expand Down

0 comments on commit 61f3e8c

Please sign in to comment.