which permission required for SP to run 'az vm extension' with 'System-assigned managed identity'

Question

I have a service principle; I want to run az vm extension set command to enable the agent. az vm extension set command is running with System-assigned managed identity.

when I run the az vm extension set command with the service principal, I get an error as permission denied.

please tell me which permission is required for the service principal to run az vm extension set with System-assigned managed identity.

see the command in below screenshot.

please tell me which permission is required for the service principal to run az vm extension set with System-assigned managed identity.

Answer 1

which permission required for SP to run 'az vm extension' with 'System-assigned managed identity

To install an extension on a virtual machine in Azure, the service principal must have the Virtual Machine Contributor role provides the necessary permissions to manage and perform actions on virtual machines.

Once you assign the above role to the service principal, try to execute the command below for enabling the agent.

az vm extension set --name AzureMonitorWindowsAgent --publisher Microsoft.Azure.Monitor --ids <vm-resource-id> --enable-auto-upgrade true --settings '{"authentication":{"managedIdentity":{"identifier-name":"mi_res_id","identifier-value":"/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<my-user-assigned-identity>"}}}'

Reference: Virtual machine extension details