'Landing Zone Automation - Disable Owner requirement from ESLZ ARM template

I am trying to deploy ESLZ Arm template in this link "https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/adventureworks/README.md" and it requires owner permission to do that. Is it possible to remove the Global Admin and/or Owner requirement and run the template using contributor role

Regards, Sajith

I created a management group under tenant root and assigned contributor role. Now I'm trying to create additional management groups using below ARM template

{ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "topLevelManagementGroupPrefix": { "type": "string", "metadata": { "description": "Provide prefix for the management group structure." } }, "platformMgs": { "type": "array", "defaultValue": [ "management", "connectivity", "identity" ], "metadata": { "description": "Management groups for platform specific purposes, such as management, networking, identity etc." } }, "landingZoneMgs": { "type": "array", "defaultValue": [ "online", "corp" ], "metadata": { "description": "These are the landing zone management groups." } } }, "variables": { "enterpriseScaleManagementGroups": { "ESLZ": "[concat(parameters('topLevelManagementGroupPrefix'))]", "platform": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'platform')]" } }, "resources": [ { // Create management group for platform management groups "type": "Microsoft.Management/managementGroups", "apiVersion": "2020-05-01", "scope": "/", "name": "[variables('enterpriseScaleManagementGroups').platform]", "properties": { "displayName": "[variables('enterpriseScaleManagementGroups').platform]", "details": { "parent": { "id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" } } } } ], "outputs": {} }

While deploying the template i'm getting permission error, however able to create management group manually. Am I missing something in this template. Any help is really appreciated

Regards, Sajith

azure-resource-manager


Solution 1:[1]

You should be able to be able to deploy the template with contributor permissions at the tenant level... You need an owner/userAccessAdmin/global admin to grant those permissions.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 bmoore-msft

Related Questions

Redirect HTTP to HTTPS in Azure Application Gateway

Start generalized azure VM

Subscription-scope authorization for Azure Resource Manager API user

ARM - Create Key Vault via private endpoint using existing VNet / Subnet

How to enable Update Management for an Azure Automation Account programmatically?

The client with object id does not have authorization to perform action taggedTrafficConsumers/validate

How to convert an array into properties of one object in an ARM template?

Azure ARM Template - Create KeyVault Secrets in Keyvault in different Resource Group

How to tag Current time as a Tag for an ARM Deployment

KeyVault ARM template overrides secrets when re-deploying

How do I create multiple topics/queues in multiple servicebuses with bicep?

Azure DevOps Pipeline Azure SQL Deploy won't work with SQL script (Failed to login)

privacySetting parameter value is not part of the allowed values - SQL Connection for Azure LogicApps

Azure ARM template give scoping access to different subscription

Azure ARM template creating duplicate resources