Unexpected Error: Built-in Role with DataActions Now Rejected in Azure Lighthouse Registration Definition #137
Description
As of June 2025, a previously functional Azure Lighthouse registration definition is now failing with the following error:
The role definition '92aaf0da-9dab-42b6-94a3-d43ce8d16293' with data actions not allowed for registration definition 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'. Only built in role definitions without any data and notData actions are allowed.
This role ID corresponds to the Log Analytics Contributor built-in role, which has been used successfully in our Lighthouse registration definitions until recently (last known working date: Friday, June 13, 2025).
Expected Behavior
According to the official documentation, the Log Analytics Contributor role is a valid built-in role. There is no mention that it is disallowed in Azure Lighthouse registration definitions.
We expect:
Built-in roles like Log Analytics Contributor to remain valid unless explicitly deprecated or restricted.
Documentation to reflect any new enforcement rules regarding DataActions or NotDataActions in Lighthouse.
Actual Behavior
The deployment now fails with the above error, indicating that roles with DataActions are no longer allowed, even if they are built-in.
Impact
Breaks existing Lighthouse deployments that have not changed.
Prevents use of roles necessary for cross-tenant diagnostics and monitoring.
No clear guidance or changelog entry explaining this new restriction.
Request
Please confirm whether this is an intentional change in Azure Lighthouse behavior.
If so, update the documentation to reflect this restriction.
If not, please investigate and resolve the regression.