⚠️ Problem
The Microsoft.CostManagement/Exports/app.bicep module is always deployed regardless of the enableManagedExports parameter setting. This module assigns the User Access Administrator role (18d7d88d-d35e-4fb5-a5c3-7773c20a72d9) to the managed identity.
This means deploying FinOps hubs requires the deploying user to have permission to assign User Access Administrator, which is a highly privileged role that many organizations restrict.
When a user has "Role Based Access Control Administrator" role (with default conditions), the deployment fails because the default conditions block assigning Owner, User Access Administrator, and RBAC Administrator roles.
Error message:
Authorization failed for template resource '...' of type 'Microsoft.Authorization/roleAssignments'.
The client '...' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write'
at scope '.../Microsoft.Storage/storageAccounts/.../providers/Microsoft.Authorization/roleAssignments/...'
🛠️ Solution
Make the User Access Administrator role assignment conditional on enableManagedExports. The role is only needed when the hub manages Cost Management exports (which requires granting access).
Option 1: Make the entire cmExports module conditional on enableManagedExports
Option 2: Make only the User Access Administrator role assignment conditional within the module
The relevant code is in:
ℹ️ Additional context
The storageRoles parameter in Exports/app.bicep assigns User Access Administrator:
storageRoles: [
// User Access Administrator -- https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#user-access-administrator
// Used to create Cost Management exports (which require access to grant access)
'18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'
]
While cmManagedExports is conditional on enableManagedExports, the base cmExports module is always deployed.
🙋♀️ Ask for the community
We could use your help:
- Please vote this issue up (👍) to prioritize it.
- Leave comments to help us solidify the vision.
The
Microsoft.CostManagement/Exports/app.bicepmodule is always deployed regardless of theenableManagedExportsparameter setting. This module assigns the User Access Administrator role (18d7d88d-d35e-4fb5-a5c3-7773c20a72d9) to the managed identity.This means deploying FinOps hubs requires the deploying user to have permission to assign User Access Administrator, which is a highly privileged role that many organizations restrict.
When a user has "Role Based Access Control Administrator" role (with default conditions), the deployment fails because the default conditions block assigning Owner, User Access Administrator, and RBAC Administrator roles.
Error message:
🛠️ Solution
Make the User Access Administrator role assignment conditional on
enableManagedExports. The role is only needed when the hub manages Cost Management exports (which requires granting access).Option 1: Make the entire
cmExportsmodule conditional onenableManagedExportsOption 2: Make only the User Access Administrator role assignment conditional within the module
The relevant code is in:
cmExportsmodule deploymentℹ️ Additional context
The
storageRolesparameter inExports/app.bicepassigns User Access Administrator:While
cmManagedExportsis conditional onenableManagedExports, the basecmExportsmodule is always deployed.🙋♀️ Ask for the community
We could use your help: