2 Min

Problem

The DeployIfNotExists error LinkedAuthorizationFailed for Diagnostic Settings indicates that the policy deployment lacks permissions. There can’t create or assign diagnostic settings on the target resource. This can happen when the policy’s managed identity, or the user who assigned the policy, lacks authorization over the target resource, or its parent.

Solution

Azure’s Policy Management is build on the Principle of Least Privilege (POLP). Therefore, Role-Based Access Control is in place. What does that mean? That means that somewhere in your Policy management you want to assign a user, or a group, Only with adequate permissions at the assigned level. This helps to ensure that policies remain tamper-resistant. And actually, that’s where a decent Azure Configuration starts.

Azure's Policy Permission Set-up

Azure’s Policy Management in a Sequence Diagram. Click on the diagram for fullscreen. Check your Error-trace. Where would you locate your problem in this diagram? This should give you a hint where to look at, when you try to fix this.

To be a bit more useful, here I propose some ideas where you could also look

1. Check Permissions for Managed Identity

If the policy uses a managed identity (often the case for policies with DeployIfNotExists effects), ensure that this identity has the Contributor or Monitoring Contributor role on the target resources or resource group. You may need to add this role through the Azure Portal:

  1. Navigate to the Azure Policy > Assignments.
  2. Select the assignment of the DeployIfNotExists policy in question.
  3. Ensure the managed identity used by the policy assignment has sufficient permissions on the target resources.

2. Ensure Authorization Scope is Correct

Make sure the managed identity has permissions on the specific scope of resources where the diagnostic settings are applied. This may require setting permissions at the subscription, resource group, or resource level, depending on where the policy is being applied.

3. Check Diagnostic Settings Requirements

Some resources require specific permissions for setting diagnostics, so check if the policy assignment has these permissions by reviewing the required actions, such as Microsoft.Insights/diagnosticSettings/*.

4. Validate Resource Group Permissions

Sometimes, permissions need to be set not just on the resource but also on the parent resource group. Ensure that permissions are assigned at the appropriate level (e.g., resource group or subscription) if the policy requires it.

5. Audit Policy Definitions and Assignments

Review the specific DeployIfNotExists policy definition to verify it is configured correctly. Check for any additional dependencies or parameters that might require adjustment.

Error still there?

Write me a mail, and I’ll see what I can do for you.

messerblatt [at] protonmail.com

Updated: