Sunday, 21 June 2020

Cloud Management Gateway and Azure tags

I encountered this problem recently while deploying a CMG for a customer. Perhaps there was a better way for me to solve it but I'll explain the problem and how I worked around it. 

I got this error when creating the CMG. On my first try I was creating the resource group in the wizard.

Error occurred when granting Contributor permission to the Azure AD app for resource group xxxxx. For more information, see SmsAdminUI.log".

The error wasn't clear to me. I knew that I was using a Global Administrator account, which was also an Owner of the Azure subscription.  I didn't really understand the problem until I looked at the logs.

In the Azure activity log I found this.

It told me that the resource I was creating was disallowed by an Azure policy that had been configured. The policy was called "Require a tag and it's value on resource" and meant that resources could not be created in the subscription without tags and their associated values. I found the same text in the SmsAdminUI.log file. That makes sense. It's good for housekeeping, right?

However, ConfigMgr couldn’t create the resource group as there was a policy in place enforcing Azure tags, which I couldn’t configure in the wizard. I figured that I should create the resource group manually and apply tags to it. However I got the exact same error when I re-ran the wizard.

I finally solved it and created the CMG by disabling the policy. Perhaps there was a more graceful way to solve it but it allowed me to continue.

Remember, in ConfigMgr, logs are your friend.

I hope this helps.

Until next time...........

No comments:

Post a Comment