Azure Lighthouse — Deployment Error (data actions not allowed)

I’ve been designing some templates for Azure Lighthouse deployments recently to delegate access and allow customer subscriptions to be managed from a central location.

Orginally I had the following groups defined in the template to delegate access to Key Vault and Storage Account File Shares and Blobs:

And swiftly ran into this error when deploying the template:

Turns out you cannot use Lighthouse with role definitions that have data actions (i.e. allows access to the data plane rather than the resource itself).

Worth bearing in mind when designing your access model, AAD group structure and lighthouse templates!

An experienced IT professional, focused on cloud tech and DevOps. Specialising in Azure, AWS, & Terraform. Currently working at BT Enterprise as a consultant.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store