User doesn't have permission to create deployment ARM template in Azure

CJ Edwards 1 Reputation point
2021-01-29T08:10:37.987+00:00

Using the 'Deploy to Azure' ARM template link from: https://github.com/Azure/Enterprise-Scale/tree/main/docs/reference/contoso

Getting the errror:
The client 'live.com# target="_blank" href="mailto:xxx@Stuff .com" title="Email xxx@Stuff .com">xxx@Stuff .com' with object id 'f7fb63c8-c4e1-4c28-89bb-a155fde3f5f9' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/providers/Microsoft.Resources/deployments/NoMarketplace-20210129014453' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed)

Azure Cloud Services
Azure Cloud Services
An Azure platform as a service offer that is used to deploy web and cloud applications.
640 questions
{count} votes

6 answers

Sort by: Newest
  1. Michael Frank 106 Reputation points
    2021-08-12T23:44:21.437+00:00

    Hi all,

    for anybody having the same issue.

    @Jim Britt [MSFT] provided the correct answer:
    Follow the instructions on: https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md

    which state that you need to:

    1. Elevate Access to manage Azure resources in the directory
    2. Grant Access to User at root scope "/" to deploy Enterprise-Scale reference implementation

    this is due to Enterprise Scale requiring permission at tenant root scope "/" to be able to configure Management Group and create/move subscription. In order to grant permission at tenant root scope "/", users in "AAD Global Administrators" group can temporarily elevate access, to manage all Azure resources in the directory.

    3 people found this answer helpful.
    0 comments No comments

  2. Jim Britt [MSFT] 21 Reputation points Microsoft Employee
    2021-08-12T23:20:32.377+00:00

    Apologies, somehow my link didn't come through when I posted earlier. Has everyone followed this process to ensure you are setup properly?

    https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md

    2 people found this answer helpful.
    0 comments No comments

  3. Sudeep 31 Reputation points
    2021-08-12T15:56:27.127+00:00

    Even i have the required permission, i am really not sure what is happening..

    I am trying to use the following example.. https://github.com/Azure/Enterprise-Scale/tree/main/docs/reference/contoso

    122822-image.png

    any idea


  4. Jim Britt [MSFT] 21 Reputation points Microsoft Employee
    2021-07-21T16:56:52.177+00:00

    Please see the following article that explains the required configuration setup for Azure permissions before you can move forward on this deployment. They detail out the step by steps for configuring Azure permissions for ARM tenant deployments.

    https://learn.microsoft.com/en-us/answers/questions/250370/user-doesn39t-have-permission-to-create-deployment.html

    1 person found this answer helpful.
    0 comments No comments

  5. Jason Hyland 6 Reputation points
    2021-04-22T12:09:51.423+00:00

    Appears you also need to assign role;

    az role assignment create --scope '/' --role 'Owner' --assignee-object-id $(az ad user show -o tsv --query objectId --id '<replace-me>@<my-aad-domain.com>'

    1 person found this answer helpful.
    0 comments No comments