The following roles must be added to the resource group that you use for the deployment. You can assign these roles using either PowerShell commands or Azure portal:
- Key vault data access administrator
- Key vault secrets officer
- Key vault contributor
- Storage account contributor
- Azure connected machine onboarding
- Azure connected machine resource administrator