Share via

Azure SRE Agent enrolled issue

Harikiran B S 20 Reputation points
2026-04-21T06:42:39.2166667+00:00

I am trying to onboard Azure SRE to a new subscription that resides in a different tenant (ABC). This subscription has already been onboarded to Azure Lighthouse to simplify the enrollment process. However, when requesting access to the subscription via Azure Lighthouse, the highest level of access available is Contributor.

We also attempted to onboard another subscription but were unsuccessful. We suspect this may be related to role assignments, as the access granted through Azure Lighthouse is limited to the Contributor role.

Azure Advisor
Azure Advisor

An Azure personalized recommendation engine that helps users follow best practices to optimize Azure deployments.

0 comments

Answer accepted by question author

  1. Suchitra Suregaunkar 13,785 Reputation points Microsoft External Staff Moderator
    2026-04-21T09:35:36.34+00:00

    Hello @Harikiran B S

    Thank you for posting your query on Microsoft Q&A platform.

    This is a known limitation when combining Azure SRE Agent with Azure Lighthouse in a multi-tenant scenario.

    When you add managed resource groups or subscriptions to an Azure SRE Agent, the agent needs to create RBAC role assignments for its user-assigned managed identity (UAMI) on those resources. This operation requires Owner or User Access Administrator permissions on the target resource groups. [learn.microsoft.com]

    "Contributor role on the subscription needed to register resource providers and create resources. If your team assigns managed resource groups with RBAC, you also need Owner or User Access Administrator to create role assignments."

    However, Azure Lighthouse has specific role limitations:

    • The Owner role is not supported at all through Lighthouse delegations.
    • The User Access Administrator role is supported only for a limited purpose specifically, to assign roles to a managed identity in the customer tenant using delegatedRoleDefinitionIds.

    Since the highest general-purpose role you can delegate through Lighthouse is Contributor, and Contributor lacks Microsoft.Authorization/roleAssignments/write permission, the SRE Agent enrollment fails when it tries to create the necessary role assignments on the delegated subscription. This also explains why your second subscription attempt was unsuccessful the same Lighthouse role limitation applies.

    Please have a look into below workarounds:

    Option 1 : Configure User Access Administrator (limited scope) in Azure Lighthouse

    Azure Lighthouse does support the User Access Administrator role when scoped with delegatedRoleDefinitionIds. This allows the delegated user to assign only specific built-in roles to managed identities. You would need to update your Lighthouse ARM template to include an authorization entry like this: [techcommun...rosoft.com]

    {
  "principalId": "<your-principal-id>",
  "roleDefinitionId": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
  "principalIdDisplayName": "SRE Agent Setup User",
  "delegatedRoleDefinitionIds": [
    "acdd72a7-3385-48ef-bd42-f606fba81ae7",
    "73c42c96-874c-492b-b04d-ab87d138a893",
    "43d0d8ad-25c7-4714-9337-8ba259a9fe05",
    "749f88d5-cbae-40b8-bcfc-e573ddc772fa"
  ]
}

    These role definition IDs correspond to Reader, Log Analytics Reader, Monitoring Reader, and Monitoring Contributor the roles that the SRE Agent's managed identity needs.

    Option 2 : Assign permissions directly in the customer tenant (ABC)

    If updating the Lighthouse template is not feasible, have an administrator in the customer tenant (ABC) directly assign the Owner or User Access Administrator role to the user/service principal performing the SRE Agent onboarding:

    1. Sign in to the Azure portal in tenant ABC directly.
    2. Go to the target subscription → Access Control (IAM)Add role assignment.
    3. Assign Owner or User Access Administrator to the identity that will configure the SRE Agent.
    4. Navigate to sre.azure.com and proceed with adding the delegated subscription as a managed resource.
    5. Once enrollment is complete, the elevated access can be removed if no longer needed.

    References:

    Kindly let us know if the solution provided worked for you.

    If you need any further assistance, please feel free to reach out.

    If you found the comment helpful, please consider clicking "Upvote it".

    Thanks,
    Suchitra.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-21T06:42:55.7133333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Azure Lighthouse currently does not support assigning the Owner role or any built‑in roles that include DataActions. Only supported Azure built‑in roles can be used in Lighthouse authorizations, and Owner is explicitly excluded.

    Because of this limitation, the maximum effective permission that can be delegated through Azure Lighthouse for management operations is typically Contributor (or other supported built‑in roles such as Reader, Security Admin, etc., but not Owner). This is why, when onboarding the subscription from tenant ABC via Azure Lighthouse, the highest level of access available is Contributor.

    Key points relevant to the scenario:

    1. Role limitations in Azure Lighthouse
      • Azure Lighthouse supports only Azure built‑in roles and does not support Owner or any built‑in roles with DataActions permissions.
      • Custom roles and classic subscription administrator roles are also not supported.
      • As a result, Contributor is often the highest privileged role that can be assigned via Lighthouse.
    2. Effect on SRE Agent onboarding
      • The Azure SRE Agent portal enforces permissions based on Azure role assignments.
      • Some actions (such as creating or managing the agent resource, modifying settings, or managing connected resources) may require Owner or User Access Administrator on the target scope, which cannot be granted via Lighthouse if Owner is needed.
      • If the SRE Agent or its managed identity needs permissions that exceed Contributor at the subscription level, those must be granted directly in the customer tenant (ABC), not via Lighthouse.
    3. Why another subscription onboarding may fail
      • If the SRE Agent creation or configuration flow requires permissions that the delegated identity does not have (for example, assigning roles to managed identities, modifying certain policies, or accessing resources blocked by deny assignments), the deployment can fail even though Contributor access exists.
      • Additionally, deny assignments that protect system‑managed resources can block actions from the managing tenant even when Contributor is present.
    4. Practical guidance
      • Use Azure Lighthouse to delegate Contributor (or other supported roles) for cross‑tenant management, but do not expect Owner to be available.
      • For operations that require Owner/User Access Administrator or that are blocked by deny assignments, coordinate with an administrator in tenant ABC to:
        • Perform those steps directly in tenant ABC, or
        • Temporarily assign the required higher‑privilege roles to a principal in tenant ABC.
      • Verify that the SRE Agent’s managed identity has the necessary roles on any dependent resources (for example, Log Analytics workspaces) directly in the customer tenant.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.