User doesn't have permission to create deployment ARM template in Azure

CJ Edwards 1 Reputation point
2021-01-29T08:10:37.987+00:00

Using the 'Deploy to Azure' ARM template link from: https://github.com/Azure/Enterprise-Scale/tree/main/docs/reference/contoso

Getting the errror:
The client 'live.com# target="_blank" href="mailto:xxx@Stuff .com" title="Email xxx@Stuff .com">xxx@Stuff .com' with object id 'f7fb63c8-c4e1-4c28-89bb-a155fde3f5f9' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/providers/Microsoft.Resources/deployments/NoMarketplace-20210129014453' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed)

Azure Cloud Services
Azure Cloud Services
An Azure platform as a service offer that is used to deploy web and cloud applications.
632 questions

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michael Frank 106 Reputation points
    2021-08-12T23:44:21.437+00:00

    Hi all,

    for anybody having the same issue.

    @Jim Britt [MSFT] provided the correct answer:
    Follow the instructions on: https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md

    which state that you need to:

    1. Elevate Access to manage Azure resources in the directory
    2. Grant Access to User at root scope "/" to deploy Enterprise-Scale reference implementation

    this is due to Enterprise Scale requiring permission at tenant root scope "/" to be able to configure Management Group and create/move subscription. In order to grant permission at tenant root scope "/", users in "AAD Global Administrators" group can temporarily elevate access, to manage all Azure resources in the directory.

    3 people found this answer helpful.
    0 comments
  2. Daniel Villamizar 11 Reputation points MVP
    2021-02-25T21:07:52.88+00:00

    As a Global Administrator in Azure Active Directory (Azure AD), you might not have access to all subscriptions and management groups in your directory.

    f you are a Global Administrator, there might be times when you want to do the following actions:

    Regain access to an Azure subscription or management group when a user has lost access
    Grant another user or yourself access to an Azure subscription or management group
    See all Azure subscriptions or management groups in an organization
    Allow an automation app (such as an invoicing or auditing app) to access all Azure subscriptions or management groups.

    Please into Elevate access for a Global Administrator here:

    https://learn.microsoft.com/es-es/azure/role-based-access-control/elevate-access-global-admin

    2 people found this answer helpful.
    0 comments
  3. Jim Britt [MSFT] 21 Reputation points Microsoft Employee
    2021-08-12T23:20:32.377+00:00

    Apologies, somehow my link didn't come through when I posted earlier. Has everyone followed this process to ensure you are setup properly?

    https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md

    2 people found this answer helpful.
    0 comments
  4. Jason Hyland 6 Reputation points
    2021-04-22T12:09:51.423+00:00

    Appears you also need to assign role;

    az role assignment create --scope '/' --role 'Owner' --assignee-object-id $(az ad user show -o tsv --query objectId --id '<replace-me>@<my-aad-domain.com>'

    1 person found this answer helpful.
    0 comments
  5. Jim Britt [MSFT] 21 Reputation points Microsoft Employee
    2021-07-21T16:56:52.177+00:00

    Please see the following article that explains the required configuration setup for Azure permissions before you can move forward on this deployment. They detail out the step by steps for configuring Azure permissions for ARM tenant deployments.

    https://learn.microsoft.com/en-us/answers/questions/250370/user-doesn39t-have-permission-to-create-deployment.html

    1 person found this answer helpful.
    0 comments