Azure Policy ‘DeployIfNotExists’ Error - LinkedAuthorizationFailed for Diagnostic Settings
Problem
The DeployIfNotExists
error LinkedAuthorizationFailed for Diagnostic Settings
indicates that the policy deployment lacks permissions. There can’t create or assign diagnostic settings on the target resource. This can happen when the policy’s managed identity, or the user who assigned the policy, lacks authorization over the target resource, or its parent.
Solution
Azure’s Policy Management is build on the Principle of Least Privilege (POLP). Therefore, Role-Based Access Control is in place. What does that mean? That means that somewhere in your Policy management you want to assign a user, or a group, Only with adequate permissions at the assigned level. This helps to ensure that policies remain tamper-resistant. And actually, that’s where a decent Azure Configuration starts.
Azure’s Policy Management in a Sequence Diagram. Click on the diagram for fullscreen. Check your Error-trace. Where would you locate your problem in this diagram? This should give you a hint where to look at, when you try to fix this.
To be a bit more useful, here I propose some ideas where you could also look
1. Check Permissions for Managed Identity
If the policy uses a managed identity (often the case for policies with DeployIfNotExists
effects), ensure that this identity has the Contributor
or Monitoring Contributor
role on the target resources or resource group. You may need to add this role through the Azure Portal:
- Navigate to the Azure Policy > Assignments.
- Select the assignment of the
DeployIfNotExists
policy in question. - Ensure the managed identity used by the policy assignment has sufficient permissions on the target resources.
2. Ensure Authorization Scope is Correct
Make sure the managed identity has permissions on the specific scope of resources where the diagnostic settings are applied. This may require setting permissions at the subscription, resource group, or resource level, depending on where the policy is being applied.
3. Check Diagnostic Settings Requirements
Some resources require specific permissions for setting diagnostics, so check if the policy assignment has these permissions by reviewing the required actions, such as Microsoft.Insights/diagnosticSettings/*
.
4. Validate Resource Group Permissions
Sometimes, permissions need to be set not just on the resource but also on the parent resource group. Ensure that permissions are assigned at the appropriate level (e.g., resource group or subscription) if the policy requires it.
5. Audit Policy Definitions and Assignments
Review the specific DeployIfNotExists
policy definition to verify it is configured correctly. Check for any additional dependencies or parameters that might require adjustment.
Error still there?
Write me a mail, and I’ll see what I can do for you.
messerblatt [at] protonmail.com