Unable to update a vm using System assigned managed Identity with update-Azvm command

Bestha, Narendra 20 Reputation points
2024-03-20T06:41:59.7166667+00:00

Automation account System assigned managed Identity has Virtual machine contributor role and Managed identity operator role on resource group x.

It is failing to update a VM. ErrorCode: LinkedAuthorizationFailed ErrorMessage: The client 'xx-x' with object id 'xx-x' has permission to perform action 'Microsoft.Compute/virtualMachines/write' on scope '/subscriptions/xx-xx-zz/resourceGroups/x/providers/Microsoft.Compute/virtualMachines/xxzz'; however, it does not have permission to perform action(s) 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscriptions/xx-xx-zz/resourceGroups/Y/providers/Microsoft.ManagedIdentity/userAssignedIdentities/xx-wa' (respectively) or the linked scope(s) are invalid.

So System assigned managed Identity in order to update VM should it have Managed identity operator role on resource group Y as well? Why do we need Managed identity operator role to update a VM.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,875 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,256 questions
0 comments
Accepted answer
  1. Anveshreddy Nimmala 3,545 Reputation points Microsoft Vendor
    2024-03-20T07:14:35.5333333+00:00

    Hello

    Welcome to microsoft Q&A, Thankyou for posting your query here.

    User-assigned managed identities are that which can be associated with Azure resources (like VMs) to allow them to authenticate and interact with other Azure services. Unlike system-assigned identities, which are directly tied to a single resource and managed by Azure. user-assigned identities can be shared across multiple resources. The action that's failing i.e, Microshe permissions for your automation account's managed identity are currently set at Resource Group. The user-assigned identity it's trying to manage is in other Resource Group. Azure RBAC (Role-Based Access Control) permissions are scoped, it means if you grant permissions at the resource group level, those permissions apply only to resources within that resource group. To manage a user-assigned identity in Resource Group, the managed identity needs the Managed Identity Operator role assigned at that resource group.

    please refer this documentation for information

    https://video2.skills-academy.com/en-us/entra/identity/managed-identities-azure-resources/how-managed-identities-work-vm

    Hope this helps you.

    If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

    0b4508e5-88d4-45d9-af45-6b9d1a7f7cd0

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.