The request to create role assignment ”xxx” is not valid. Role assignment scope. … must match the scope specified on the URI …

Hi,

If you trying to make a role assignment via ARM template and encountered this error, then please note that this something annoying and not very clear even on MS docs.

The solution:

1- Either notice that there is a small difference in how ResourceGroups is written: resourceGroups vs resourcegroups –> You need to use lowercase or use a replace to replace resourceGroups by resourcegroups

In my case, i have created a variable where i replace resourceGroups by resourcegroups

"variables": {
      "factoryId": "[replace(resourceid('Microsoft.DataFactory/factories/', parameters('DataFactoryObject').name),'resourceGroups','resourcegroups')]",
  }

2- If this does not then it means that you are likely using “type”: “Microsoft.Authorization/roleAssignments” for your role assignment. Unfortunately this does not work if you are making an assignment to anything else the resource group you are deploying in.

To solve this, you can something like:

{
            "type": "/Microsoft.DataFactory/factories/providers/roleAssignments",
            "name": "[variables('adfroleassignmentname')]",
            "apiVersion": "2015-07-01",
            "dependsOn": [
                "[variables('factoryId')]"
              ],
            "properties": {
              "roleDefinitionId": "[variables('ADFRunpipelineRoleDefId')]",
              "principalId": "[parameters('AzDcrbObjectId')]"
            }
          },

In orther words you will make a sub-resource deployment “ResourceType/providers/roleAssignments”

Advertisements

Azure ARM Template: “ObjectID” with Azure Key vault policy assignment

Hi all,

When you author ARM Templates, and you are deploying a Key Vault and setting the Access Policies via the template, be careful about the content of the objectID.

  "accessPolicies" : [                    {                        "tenantId": "xxxxx-30d9-xxxxx-8015-ddddddd",                        "objectId": "rrrrr-tttt-rrrr-rrrr-tttttt",                        "permissions": {
"keys": ["all"],
"secrets": ["all"]
}
},

If you are assigning the policy to a user account, use the objectId value found on Azure AD:

If you are assigning the policy to a Service Principal, use the ObjectID of the Application that you can get from the Enterprise Application blade, and not the App Registration blade.

Good

Wrong

Delete Azure Backup Restore Points collections error : InternalOperationError goal seeking tasks failed

Hi,

During an operation to move Azure resources between Subscriptions (Or resource groups), we were obliged to delete the “Microsoft.Compute/restorePointCollections” in order to be able to move VMs protected by a Backup policy, as described here

Unfortunately, when deleting the
“Microsoft.Compute/restorePointCollections” resources, we were hit by the following error.

 {X} goal seeking tasks failed. 

It took us time to figure out that trying to delete the same resources multiple times ends by a successful operations. But because each operation took about 1 minute, it will be a waste of time of doing it by hand.

So today, i’m sharing with you a Powershell script that will allow you to make all the deletion operations, in parallel!!

Go here

Unable to assign RBAC role to the root management group

Hi,

If you try to assign an RBAC role to the root management group, you may encounter the following error, even if you are the Azure Account Owner, the Global Administrator…

New-AzureRmRoleAssignment -SignInName user@domain.io -RoleDefinitionName "Reader" -Scope /providers/Microsoft.Management/managementGroups/root

New-AzureRmRoleAssignment : The client ‘xxxx@domain.io’ with object id ’46f38ab7-404e-4a36-906f-3a19299cf41c’ does not have authorization to perform action ‘Microsoft.Authorization/roleAssignments/write’ over scope ‘/providers/Microsoft.Management/managementGroups/root/providers/Microsoft.Authorization/roleAssignments/e3a41417-f5b5-4476-8171-14866f42481f’.
At line:1 char:1

New-AzureRmRoleAssignment -SignInName
user@domain.io -RoleDef …

~~~~~~~~~~~~~~~~~

CategoryInfo : CloseError: (:) [New-AzRoleAssignment], CloudException

FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand

Solution

You need to Elevate access for the Global Admin in order to control the root management group.

Do this: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

Move an AzureDevOps resource to a diffrent resource group

Hi,

I have been asked to move an Azure DevOps organization resource from the original resource group (that by default takes the name of VS-{Orgnization Name}-Group to a new resource group. So the following are the needed permissions that you will require:

  • You need to be the Organization Owner of the Azure DevOps organization
  • You need the Write access to the target resource group. The Contributor role is the easiest role that provides this permission
  • You need to be a Contributor of the Subscription. This is the error you will have if not: “User is not a subscription administrator or co-administrator of the Azure subscription.”

Once this done, you can move the to the new resource group, and then release the permissions.

Azure Data Factory : How to access the output on an Activity

Hi,

When using ADF (in my case V2), we create pipelines. Inside these pipelines, we create a chain of Activities.

In most cases, we always need that the output of an Activity be the Input of the next of further activity.

The following screenshot shows a pipeline of 2 activities:

  1. Get from Web : This is http activity that gets data from a http endpoint
  2. Copy to DB : This is an activity that gets the output of the first activity and copy to the a DB.

SNAG-0063.png

 

How to get the output of a activity ?

The output of any activity at a given time is : @activity(“Activity Name”).output

So the output of my Get from Web activity will be : @activity(“Get from Web”).output

Example

If my Get from Web activity gets a json output from the http endpoint like this :

{
“name”: Samir,
“mail”: “samir.farhat@mvp.com”,
“age”: “30”,
“childrens”: [
{
“name”: “Mark”,
“age”: “7”
},
{
“name”: “Helena”,
“age”: “9”
}
]
}

 

@activity(“Get from Web”).output

will contain the json code above

  • If i want to access only childrens, i can do this

@activity(“Get from Web”).output.childrens

  • If i want to access only the first children

@activity(“Get from Web”).output.childrens[0]