Hi Teshan,

when running the FSM Installer it’s required to be an “Owner” of the Subscription. However, when it comes to Azure Subscriptions outside IFS this might be not enough as the Installer creates a Service Account on Azure tenant level, which requires elevated permissions (tenant admin).
See also this post:
 

Apparently, this was fixed but one of our customers faced the issue still and raised a Case. They received a hotfix with some adjustments to the FSM Installer exe. As far as I’m aware it worked for them without having to use admin tenant permissions and the fix should be included in the next Update. I can provide you the Case ID.

Best regards
Roman

Thank you, Roman, can you please send me the case ID?  According to the above thread, this should fix U14 onwards but this customer using the U16 setup.

Resource group owner is already granted, other than resource group level permissions from azure active directory level user should have assigned roles to manage deployment from API level to tenant resources. Customers have different resource groups if a user is granted Global admin or Dev-ops admin privilege it can access every resource within the tenant, they are not willing to do that.

What should be the default permission from the Active directory level to this user executing installer to do deployment and resource creation within tenet → resource group?

There was nothing assigned to this user. If customers are not willing to use their global admin or dev-ops admin for IFS FSM installer execution should have a specific set of assigned roles required to do execution.

For IFS CLOUD FSM deployment, we can use our internal user to do deployment from delivery VMs. I hope someone from the AD team or Product team can give an exact set of roles to the assigned user for deploying the FSM application.

Hi Teshan,

as said, it was apparently fixed but a customer of mine faced it as well with UPD20 - that’s why they received a hotfix.
Resource Group Owner isn’t enough. The User needs to have the Owner role on Subscription level, e.g. like here for my account in an internal IFS Subscription:

This allows to create new resource groups in the subscription.

In addition, global admin on AD tenant level is required - unless you are using the hotfix / updated Installer when available in UPD22. Otherwise, you will not be able to create the Service Account User through the Installer. This User can’t be created manually prior running the Installer as the UID for this User is hardcoded in the Installer - unless you are using the hotfix, which allows to provide a UID from the manually created Service Account.

Concluding, the only options you have at the moment with UPD16 is to provide the above mentioned roles to the user executing the Installer. Or you go with U20 and request the hotfix from the provided Case / wait for UPD22.

Best regards
Roman

Hello, 

We have the UPD22 installer any idea how this can be setup of setting Service Account? Couldn't find any info on the FSM Azure installer guide.

@jevin.fernando 

These are the steps included in the Hotfix:

• Global admin of the subscription, needs to create an Azure AD app as described in this article - https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal.
• Add created user as an owner of the azure AD app.
• Assign Application.ReadWrite.OwnedBy permission to the MS Graph API to the app.
• Specify application ID of Azure AD application in “ServicePrincipalClientID“ app setting of the config file of installer (setup.exe.config).
   

  

Not sure, if this will work but according to the Release Notes the fix was included in U22:

G2349517 - Corrected issue with Azure installation failing with subscription owner account

Best regards
Roman