azure - ARM template for RoleAssignment at Mgmt Group Level

Question

I am trying to create an arm template that assigns RBAC role to a group at a management group level. i am able to do it via CLI and PowerShell but can't get it working via an ARM template

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "roleDefinitionId": {
            "type": "string",
            "defaultValue": "xxxx",
            "metadata": {
                "description": "roleDefinition for the assignment - default is reader"
            }
        }
    },
    "variables": {
        "roleAssignmentName": "[guid('/', variables('xxx'), parameters('roleDefinitionId'))]"
    },
    "resources": [
        {
            "name": "[variables('roleAssignmentName')]",
            "type": "Microsoft.Authorization/roleAssignments",
            "apiVersion": "2020-04-01-preview",
            "scope": "/providers/Microsoft.Management/managementGroups/xxxx",
            "properties": {
                "mode": "Incremental",
                "roleDefinitionId": "xxx",
                "principalId": "xxxx",
                "principalType": "Group"
            }
        }
    ]
}

Does anyone know if MGMT Groups is supported, if yes what am i doing wrong?

Here is the official doc for ARM Role Assignment https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template, it shows to do it for Subs and Resources Groups

question from:https://stackoverflow.com/questions/66051827/arm-template-for-roleassignment-at-mgmt-group-level

Answer 1

Remove the scope property from your resource definition...

TLDR; roleAssignments can only be deployed at the scope they are being assigned to, so the property is extraneous. Also the scope property doesn't work with managementGroup extension resources (confusing I know) which is just a point in time gap. The scope property is generally used for targeting a resource to a different scope (i.e. different from the template deployment itself) but since roleAssignments can't be retargeted you don't need it and it's going to cause a problem for you in this case.

Here's my sample (note I don't have the principalType property so it uses the default):

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "principalId": {
        "type": "string",
        "metadata": {
          "description": "principalId if the user that will be given contributor access to the resourceGroup"
        }
      },
      "roleDefinitionId": {
        "type": "string",
        "defaultValue": "b24988ac-6180-42a0-ab88-20f7382dd24c",
        "metadata": {
          "description": "roleDefinition for the assignment - default is contributor"
        }
      },
      "managementGroupName": {
        "type": "string",
        "metadata": {
          "description": "Name of the managementGroup for the roleAssignment"
        }
      }
    },
    "variables": {
      // this creates an idempotent GUID for the role assignment
      "roleAssignmentName": "[guid(parameters('managementGroupName'), parameters('principalId'), parameters('roleDefinitionId'))]"
     },
    "resources": [
      {
        "type": "Microsoft.Authorization/roleAssignments",
        "apiVersion": "2020-04-01-preview",
        "name": "[variables('roleAssignmentName')]",
        "properties": {
          "roleDefinitionId": "[tenantResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
          "principalId": "[parameters('principalId')]"
        }
      }
    ]
  }