ConfigMgr error creating CMG - Subscription Configuration. Error occurred when granting Contributor permission to the Microsoft Entra ID app for resource group rg-xyz. For more information, see SmsAdminUI.log.
Thought I would share my experience/finding with this error on ConfigMgr v5.0.9141.100 (2509).
My account did have Owner on the Subscription + GA but CMG wizard kept throwing this error. SmsAdminUI.log shows this...
Hyak.Common.CloudException\r\nFailed to complete the role assignment with status code Forbidden.\r\n at Microsoft.ConfigurationManagement.AdminConsole.AzureServices.RegionPageControl.GrantRoleBasedAccessControlToAadAppOnResourceGroup(String subscriptionId, String servicePrincipalId, String resourceGroupName)
We could see process was actually setting Contributor role on the Entra WebApp in Azure, but then subsequent attempts would say it is already defined. Wizard still threw the same error message above though.
SOLUTION: The fix for us was to add the User Access Administrator role to the user account, as this role explicitly has "Microsoft.Authorization/*" permissions. The specific rights from the logs appears to need "Microsoft.Authorization/roleAssignments/write".
Our suspicion is this is either a bug in this version of the ConfigMgr function or a fallout from the recent deprecation of the 'Classic subscription administrator roles'. Because, from what i can tell Hyak.Common.CloudException is a legacy Azure SDK function.