Get-AzDiagnosticSetting - Operation returned an invalid status code 'Forbidden'

Question

I am trying to get a diagnostic setting from within an Azure pipeline with the YAML :

steps:
- task: AzureCLI@2
  displayName: Ammend Diagnostic Settings 
  inputs:
    azureSubscription: ${{ parameters.environmentServiceConnection }}
    scriptLocation: inlineScript
    ScriptType: ps
    inlineScript: |

        #$Diago = Get-AzDiagnosticSetting -ResourceId "" 

If I executed the Get-DiagnosticSetting command with my normal 'admin' account I can see the diagnostic settings fine. I am using an SPN for the pipeline and I get the error:

Get-AzDiagnosticSetting : Exception type: ErrorResponseException, Message: 
Microsoft.Azure.Management.Monitor.Models.ErrorResponseException: Operation returned an invalid status code 'Forbidden'

So it is something to do with my permissions on my SPN - but I have no idea where the permission would be where I need to check (in Azure) to make sure I can get this to work.

Answer 1

Please assign Contributor/Monitoring Contributor from Azure Built-in Roles to the SPN that is being used by the Azure Pipeline as a service connection to the Subscription.

I tested similarly by using a SPN in PowerShell with the below code :

$ApplicationId=<ClientId>
$SecuredPassword= ConvertTo-SecureString <ClientSecret> -AsPlainText -Force
$TenantId="<tenantId>"
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecuredPassword
Connect-AzAccount -ServicePrincipal -TenantId $TenantId -Credential $Credential
Get-AzDiagnosticSetting -ResourceId "/subscriptions/<Subscription>/resourceGroups/ansuman-resourcegroup/providers/Microsoft.Storage/storageAccounts/cloudshellansuman123"

output: