Merge pull request #78 from haflidif/bug/issue77

Enhancements to New-AzPolicyReaderRole script.

README.md

@@ -103,6 +103,7 @@ The solution has a starter kit (folder `StarterKit`). Copy the contents of the `
 ### EPAC Policy Reader role (custom)
 
 Create a custom role to be used by the planing stages' service connections **EPAC Policy Reader role**. Script `./Scripts/Operations/New-AzPolicyReaderRole.ps1` will create the role at the scope defined in `global-settings.json`. It will contain:
+   - `Microsoft.Management/register/action`
    - `Microsoft.Authorization/policyassignments/read`
    - `Microsoft.Authorization/policydefinitions/read`
    - `Microsoft.Authorization/policyexemptions/read`
@@ -139,6 +140,13 @@ Create Service Principals for the pipeline execution and setup your DevOps envir
   - Security Reader and Policy Contributor for deploying Policies, Initiatives and Assignments in the EPAC prod environment
   - User Administrator for assigning roles to the Assignments' Managed Identities (for remediation tasks) in the EPAC prod environment
 
+> **Note:** 
+> When creating a Service Connection in Azure DevOps you can set up the service connections on Subscription or a Management Group scope level, when configuring the service connection for the EPAC Developer and Test subscriptions the service connections scope level is **Subscription**, however when creating a Service Connections for EPAC Prod Plan, EPAC Prod Deployment and EPAC Role Assignment the service connection scope level is **Management Group**.
+
+Subscription scope level | Management Group scope level
+:-----------:|:----------------: 
+![image](./Docs/Images/azdoServiceConnectionSubConf.png) | ![image](./Docs/Images/azdoServiceConnectionMGConf.png)
+
 ### EPAC environments setup
 
 Like any other software or X as Code solution, EPAC needs areas for developing and testing new Policies, Initiatives and Assignments before any deployment to EPAC prod environments. In most cases you will need one subscription each for development and testing. EPAC's prod environment will govern all other IaC environments (e.g., sandbox, development, integration, test/qa, pre-prod, prod, ...). This can be slightly confusing.

Scripts/Operations/New-AzPolicyReaderRole.ps1

@@ -32,6 +32,7 @@ $role.Description = 'Read access to Azure Policy.'
 $role.IsCustom = $true
 $perms = @(
     "*/read",
+    "Microsoft.Management/register/action",
     "Microsoft.Authorization/policyassignments/read",
     "Microsoft.Authorization/policydefinitions/read",
     "Microsoft.Authorization/policyexemptions/read",

Scripts/Operations/README.md

@@ -19,11 +19,15 @@ Many scripts use a configuration value called `RootScope`. It denotes the locati
 
 ## New-AzPolicyReaderRole.ps1
 
-Creates a custom role `Policy Contributor` at the scope selected with `PacEnvironmentSelector`:
-
-- `Microsoft.Authorization/policyAssignments/read`
-- `Microsoft.Authorization/policyDefinitions/read`
-- `Microsoft.Authorization/policySetDefinitions/read`
+Creates a custom role `Policy Reader` at the scope selected with `PacEnvironmentSelector`:
+
+- `Microsoft.Management/register/action`
+- `Microsoft.Authorization/policyassignments/read`
+- `Microsoft.Authorization/policydefinitions/read`
+- `Microsoft.Authorization/policyexemptions/read`
+- `Microsoft.Authorization/policysetdefinitions/read`
+- `Microsoft.PolicyInsights/*`
+- `Microsoft.Support/*`
 
 |Parameter | Required | Explanation |
 |----------|----------|-------------|