I created a Service principal in azure and assigned my service principal to the custom role which I have created with set of permission in that particular subscription.

With the service principal, I am able to create a key vault, Storage account, and function app and so on.

But when I execute this particular command

Set-AzDiagnosticSetting -Name $diagnosticLogsSettingsName -ResourceId $resource.ResourceId -StorageAccountId $diagnosticLogStorageAccount.Id -Enabled $true -Category $Categories -MetricCategory AllMetrics -RetentionEnabled $true -RetentionInDays 90

I am getting the following error

Set-AzDiagnosticSetting : Exception type: ErrorResponseException, Message: Null/Empty, Code: Null, Status
03:24:52   Error message: Set-AzDiagnosticSetting : Exception type: ErrorResponseException, Message: Null/Empty, Code: Null, Status
03:24:52   code:Forbidden, Reason phrase: Forbidden

Not sure why I am getting forbidden error

Could anyone Please help me to resolve the issue. Thanks in advance

CodePudding user response：

One of the workaround you can follow to resolve the above issue;

Based on this

CodePudding user response：

Able to resolve the issue By adding the following permission to my custom role.

Microsoft.Insights/diagnosticSettings/write

I came to know to add this permission by executing the following command in "-Debug" mode which will give a clear error with the missing permission

Set-AzDiagnosticSetting -Name $diagnosticLogsSettingsName -ResourceId $resource.ResourceId -StorageAccountId $diagnosticLogStorageAccount.Id -Enabled $true -Category $Categories -MetricCategory AllMetrics -RetentionEnabled $true -RetentionInDays 90 -Debug

So just need to add -Debug flag at the end of command