Single Subscription

[DSchmidlin]

I would like to deploy Azure IPAM into just my subscription but the need for read access to a management group is blocking me as I don't have permissions to do so. Is it possible to configure a deployment to work with only a single subscription and not need permissions to the management group?

My ultimate goal is to use the automatic reservation system that Azure IPAM offers in my CI/CD pipeline to to perform PR deployments that need have non-overlapping IP ranges in their VNets so they can be peered to a shared VNet in a hub-spoke design. Is there another tool that would be more appropriate for this purpose?

[DSchmidlin]

It looks like this can be done if you run the following powershell command.

New-AzRoleAssignment -ObjectId "<enterprise app id>" -RoleDefinitionName "Reader" -Scope "/subscriptions/<subscription id>"

I applied it first the engine app , which did not work and then applied it to the ui app, which did finally work. Unsure if just the ui app needs it or both.

[DCMattyG]

Hi @DSchmidlin, the steps you've laid out are exactly correct. And yes, only the engine app needs Reader access to the Subscription scope. Perhaps you just didn't wait long enough for the permissions to propagate, which can sometimes take a minute or two.

Alternatively you could create a Management Group, add your subscription to said Management Group, and use the -Scope switch during deployment by providing the Management Group ID.

Glad you got things working, please let me know if you need anything else!

[serottez]

Hi @DCMattyG, is the Engine App Registration the only resource that is granted reader access at the Root Management Group level (or the alternate Management Group level, if specified on deployment via the -MgmtGroupId Parameter)?

I ask because we are considering using this IPAM tool in an enterprise tenant, but we only want the IPAM tool to manage a subset of the management groups in that tenant. If I were to originally deploy this tool at the tenant root group level, is the Engine App Registration the only resource whose permissions I would need to modify to restrict its scope to specific management groups/subscriptions, or are there other resources whose permissions should be modified, too?

Thanks for your help!

[DCMattyG]

Is the Engine App Registration the only resource that is granted reader access at the Root Management Group level (or the alternate Management Group level, if specified on deployment via the -MgmtGroupId Parameter)?

Yes, this is correct.

If I were to originally deploy this tool at the tenant root group level, is the Engine App Registration the only resource whose permissions I would need to modify to restrict its scope to specific management groups/subscriptions?

This is also correct.

[serottez]

Thank you!

[DCMattyG]

My pleasure!