This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 84%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi,
I noticed the following issue in the Azure DevOps pipeline.
Unable to update a virtual machine via PowerShell in a pipeline task.
ErrorCode: LinkedAuthorizationFailed ErrorMessage: The client 'xx-x' with object id 'xx-x' has permission to perform action 'Microsoft.Compute/virtualMachines/write' on scope '/subscriptions/xx-xx-zz/resourceGroups/x/providers/Microsoft.Compute/virtualMachines/xxzz'; however, it does not have permission to perform action(s) 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscriptions/xx-xx-zz/resourceGroups/Y/providers/Microsoft.ManagedIdentity/userAssignedIdentities/xx-wa' (respectively) or the linked scope(s) are invalid.
ErrorTarget:
StatusCode: 403
ReasonPhrase: Forbidden
Here is the part of the script that I run.
It fails on the Update-AzVM command.
When I run the script manually it works.
It only fails through the pipeline.
Last week everything was fine.
I didn't change anything.
It stopped working from the beginning of September 2024.
The proposed solution was to set the necessary permissions for the client.
I checked the settings and the client has granted Contributor access with all permissions.
Client scope is "Resource group (Inherited)".
Can you advise me what to do, please?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 24%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
To resolve this issue, you should grant it the Managed Identity Operator or Managed Identity Contributor role on the resource group or the specific user-assigned managed identity it needs to manage.
You can mark it 'Accept Answer' and 'Upvote' if this helped you
Regards,
Abiola
@akinbade abiola
I have granted the client named (in my case MAM) the role of Managed Identity Operator and Managed Identity Contributor in the resource group.
But it didn't help.
I still have the same problem.
I'm asking for more advice.
can you confirm the managed indentity had the roles assigne pls?
@akinbade abiola
Please see the attached picture.
Did I set it up correctly?
Or can you send me the exact steps I need to do, please?
This looks fine to me as it is complaining of these permissions: "The action Microsoft.ManagedIdentity/userAssignedIdentities/assign/action is required on the User Assigned Managed Identity, but permission is missing or the scope is incorrect."
You can also test with adding broad scoped contributor on identity. But as a test only to confirm. If it works, you can further reduce to least privilege
This is an example of same error but on aks. https://video2.skills-academy.com/en-us/troubleshoot/azure/azure-kubernetes/create-upgrade-delete/error-code-linkedauthorizationfailed?source=recommendations We generally just need to find the correct scope and assign permissions
@akinbade abiola
What do the following lines in the log mean, please?
The client 'xx-x' with object id 'xx-x' has permission to perform action...
ErrorTarget:
StatusCode: 403
ReasonPhrase: Forbidden
@akinbade abiola
How to find the correct scope, please?
And how to verify that scope is valid?
@akinbade abiola
I edited my original question.
I added the part of the script that I run.
I hope it helps.
It was resolved internally, in the company.
By changing the settings.
Thank you for your help, @akinbade abiola