Question

Azure AD Level Permission for User to execute FSM installer

  • 9 November 2022
  • 5 replies
  • 195 views
T
Rank
Userlevel 2
Badge +3

Hi all, 

 

I am experiencing the following issue while executing FSM installer using customer provided user. 

When checked from the Azure AD level. The user doesn't have assigned roles. 

 

My question is what are the exact assigned roles user should have from the active directory level to execute the installer?  Do I have any documentation from RND refer regarding Azure installation user permission to the AD level? 

 

Also, customers are not willing to provide Global or any kind of administrator privilege to the current user.

 

11/9/2022 3:25:56 PM: Error occurred while creating the service principal to authenticate with ResourceManagement client New-AzADServicePrincipal: The role assignment creation operation failed with the error: 'The client 'ifs@XXXXX.net' with object id '4e83b984-4af8-47a1-99d9-5e6a6cb0063c' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4ed92412-5367-4a99-8f5e-b24346ce976d/providers/Microsoft.Authorization/roleAssignments/e4be2d1c-3417-4740-b661-0e9c231626fc' or the scope is invalid. If access was recently granted, please refresh your credentials.'
This means the role assignment was not able to be created. Please assign a role manually with help of the Service Principal Id
.
11/9/2022 3:25:56 PM: Error occurred while setting Azre subscription.
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS700016: Application with identifier '4485e2c0-e72e-40f6-a62a-438dd8abe521' was not found in the directory 'XXXXX Flotte s.r.l.'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant

 

Thank you,

Best Regards,

Teshan.

5 replies

roklde
Rank
Userlevel 6
Badge +23

Hi Teshan,

when running the FSM Installer it’s required to be an “Owner” of the Subscription. However, when it comes to Azure Subscriptions outside IFS this might be not enough as the Installer creates a Service Account on Azure tenant level, which requires elevated permissions (tenant admin).
See also this post:
 

 

Apparently, this was fixed but one of our customers faced the issue still and raised a Case. They received a hotfix with some adjustments to the FSM Installer exe. As far as I’m aware it worked for them without having to use admin tenant permissions and the fix should be included in the next Update. I can provide you the Case ID.

Best regards
Roman

T
Rank
Userlevel 2
Badge +3

Thank you, Roman, can you please send me the case ID?  According to the above thread, this should fix U14 onwards but this customer using the U16 setup.

Resource group owner is already granted, other than resource group level permissions from azure active directory level user should have assigned roles to manage deployment from API level to tenant resources. Customers have different resource groups if a user is granted Global admin or Dev-ops admin privilege it can access every resource within the tenant, they are not willing to do that.

What should be the default permission from the Active directory level to this user executing installer to do deployment and resource creation within tenet → resource group?

There was nothing assigned to this user. If customers are not willing to use their global admin or dev-ops admin for IFS FSM installer execution should have a specific set of assigned roles required to do execution.


For IFS CLOUD FSM deployment, we can use our internal user to do deployment from delivery VMs. I hope someone from the AD team or Product team can give an exact set of roles to the assigned user for deploying the FSM application.


 

roklde
Rank
Userlevel 6
Badge +23

Hi Teshan,

as said, it was apparently fixed but a customer of mine faced it as well with UPD20 - that’s why they received a hotfix.
Resource Group Owner isn’t enough. The User needs to have the Owner role on Subscription level, e.g. like here for my account in an internal IFS Subscription:

 

 

This allows to create new resource groups in the subscription.

In addition, global admin on AD tenant level is required - unless you are using the hotfix / updated Installer when available in UPD22. Otherwise, you will not be able to create the Service Account User through the Installer. This User can’t be created manually prior running the Installer as the UID for this User is hardcoded in the Installer - unless you are using the hotfix, which allows to provide a UID from the manually created Service Account.

Concluding, the only options you have at the moment with UPD16 is to provide the above mentioned roles to the user executing the Installer. Or you go with U20 and request the hotfix from the provided Case / wait for UPD22.

Best regards
Roman

J
Rank
Userlevel 1
Badge +6

Hello, 

We have the UPD22 installer any idea how this can be setup of setting Service Account? Couldn't find any info on the FSM Azure installer guide.

roklde
Rank
Userlevel 6
Badge +23

@jevin.fernando 

These are the steps included in the Hotfix:

 

Not sure, if this will work but according to the Release Notes the fix was included in U22:

G2349517 - Corrected issue with Azure installation failing with subscription owner account

 

Best regards
Roman 

Reply


Terms & ConditionsCookie settings