diff --git a/docs/wiki/Frequently-Asked-Questions.md b/docs/wiki/Frequently-Asked-Questions.md index 810aa885..5a13d2dc 100644 --- a/docs/wiki/Frequently-Asked-Questions.md +++ b/docs/wiki/Frequently-Asked-Questions.md @@ -42,8 +42,15 @@ A common example of invalid characters preventing successful operations in AzOps ## Management groups not showing up in repository -If the [Microsoft.Management](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-services-resource-providers#management-resource-providers) resource provider is not registered in the subscription where AzOps is initialized, the engine is unable to list and create the correct folder structure for the management group hierarchy. -Proceed to manually [register the Microsoft.Management resource provider](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in the Azure Subscription or assign the AzOps Service Principal the permissions to perform the ```/register/action``` operation for the resource provider. The permission is included in the Contributor and Owner roles. +If the [Microsoft.Management](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-services-resource-providers#management-resource-providers) resource provider is not registered in the subscription where AzOps is initialized, AzOps is unable to list and create the folder structure for the management group hierarchy. + +To confirm if this applies to you, check the pipeline logs for the following message: + +```powershell +[Initialize-AzOpsEnvironment] No management group access +``` + +Resolve this by registering the `Microsoft.Management` [resource provider](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) in the Azure Subscription or assign AzOps the permissions to perform the ```/register/action``` operation for the resource provider. ## Push fail with deployment already exists in location error diff --git a/docs/wiki/Prerequisites.md b/docs/wiki/Prerequisites.md index 6f6e1219..22671b0a 100644 --- a/docs/wiki/Prerequisites.md +++ b/docs/wiki/Prerequisites.md @@ -17,7 +17,7 @@ AzOps pipelines can use either a Service Principal, or a Managed Identity if run - Assign Azure `Owner` role at the required scope to the Service Principal/Managed Identity - Add Service Principal/Managed Identity to Azure AD `Directory Readers` role -> Note: Listing Management groups requires that the Azure Resource Provider [Microsoft.Management](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-services-resource-providers#management-resource-providers) is [registered in the Azure Subscription](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) where AzOps is initialized, this will occur automatically if the Service Principal for AzOps have the correct permissions. Otherwise the Microsoft.Management provider will have to be registered manually. The permission to register Resource providers are included in the Owner and Contributor roles. +> Note: Discovering Management groups requires the registration of the Azure resource provider `Microsoft.Management` in the Azure Subscription where AzOps is initialized. AzOps will attempt to [registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) `Microsoft.Management` if it's not already registered. If AzOps encounters any issues during this process, kindly ensure to manually register the resource provider. The Azure Active Directory [Directory Readers](https://learn.microsoft.com/azure/active-directory/roles/permissions-reference#directory-readers) role is required to discover Azure 'roleAssignments'. These permissions are used to enrich data around the role assignments with additional Azure AD context such as `ObjectType` and Azure AD object `DisplayName`. diff --git a/src/functions/Initialize-AzOpsEnvironment.ps1 b/src/functions/Initialize-AzOpsEnvironment.ps1 index fb7d8627..a689bc5d 100644 --- a/src/functions/Initialize-AzOpsEnvironment.ps1 +++ b/src/functions/Initialize-AzOpsEnvironment.ps1 @@ -119,11 +119,8 @@ $managementGroups = Get-AzManagementGroup -ErrorAction Stop } catch { - if ($_.Exception.Message -match 'does not have authorization to perform action ''Microsoft.Management/register/action''') { - Write-AzOpsMessage -LogLevel Warning -LogString 'Initialize-AzOpsEnvironment.ManagementGroup.InsufficientPermissions' - } else { - Write-AzOpsMessage -LogLevel Warning -LogString 'Initialize-AzOpsEnvironment.ManagementGroup.NoManagementGroupAccess' - } + Write-AzOpsMessage -LogLevel Warning -LogString 'Initialize-AzOpsEnvironment.ManagementGroup.NoManagementGroupAccess' -LogStringValues $_ + return } #region Validate root '/' permissions - different methods of getting current context depending on principalType diff --git a/src/localized/en-us/Strings.psd1 b/src/localized/en-us/Strings.psd1 index 84f27560..8c43862c 100644 --- a/src/localized/en-us/Strings.psd1 +++ b/src/localized/en-us/Strings.psd1 @@ -157,8 +157,7 @@ 'Initialize-AzOpsEnvironment.ManagementGroup.NoRootPermissions' = 'Principal {0} does not have permissions under / in tenant, enabling partial discovery' # $currentAzContext.Account.Id 'Initialize-AzOpsEnvironment.ManagementGroup.PartialDiscovery' = 'Executing partial discovery' # 'Initialize-AzOpsEnvironment.ManagementGroup.Resolution' = 'Resolving {0} management groups' # $managementGroups.Count - 'Initialize-AzOpsEnvironment.ManagementGroup.NoManagementGroupAccess' = 'No management group access, discovery will happen from subscription scope(s)' - 'Initialize-AzOpsEnvironment.ManagementGroup.InsufficientPermissions' = 'Insufficient permissions to register the ''Microsoft.Management'' resource provider. Register the resource provider manually or assign the Service Principal the Owner or Contributor role.' + 'Initialize-AzOpsEnvironment.ManagementGroup.NoManagementGroupAccess' = 'No management group access, failed with: {0}, discovery will happen from subscription scope(s)' # $_ 'Initialize-AzOpsEnvironment.Processing' = 'Processing AzOps environment' # 'Initialize-AzOpsEnvironment.Processing.Completed' = 'AzOps environment initialization concluded' # 'Initialize-AzOpsEnvironment.ThrottleLimit.Adjustment' = 'Adjusting AzOps.Core.ThrottleLimit from {0} to 5 due to available CPU Cores ({1}) to ensure reliable and performant pipeline execution. For further details, refer to: https://github.com/azure/azops/wiki/performance-considerations' # $throttleLimit, $cpuCores