Security policy enforcement is completely broken. When assigning roles to IoT devices using the aziotc security policy SDK, we consistently get ‘Insufficient Permissions’ errors despite having Global Administrator access. The Azure RBAC role requirements documentation is unclear about what specific permissions are needed for SDK-based role assignments.
Error details:
Error: InsufficientPermissions
Operation: assignDeviceRole()
Required: Microsoft.Authorization/roleAssignments/write
User: admin@company.com (Global Admin)
The SDK role assignment logic seems to require additional permissions beyond what Global Admin provides. We need to assign IoT Hub Data Contributor roles to 2000+ devices programmatically. Manual assignment works fine through Azure Portal, but the SDK fails. Do we need to elevate user credentials somehow, or is this an aziotc SDK bug?
We’re authenticating with user credentials, not a service principal. So I need to add User Access Administrator role to my account in addition to Global Admin? Will that work for the SDK, or does the SDK require service principal authentication?
Global Administrator in Azure AD is different from Azure RBAC roles. For role assignments via SDK, you need the User Access Administrator role at the subscription or resource group level. Global Admin doesn’t automatically grant Azure resource permissions - it’s an Azure AD role, not an Azure RBAC role.
Also check your service principal permissions if you’re using app-based authentication. The SDK might be using a service principal that doesn’t have the Microsoft.Authorization/roleAssignments/write permission. You need to explicitly grant that permission to the app registration used by the SDK.
The SDK supports both user and service principal authentication. For user auth, yes, you need User Access Administrator role at the appropriate scope. However, for bulk operations on 2000+ devices, I strongly recommend using a service principal instead. User credentials have MFA requirements and session timeouts that will interrupt long-running batch operations.