User doesn't have permission to create deployment ARM template in Azure

CJ Edwards 1

Using the 'Deploy to Azure' ARM template link from: https://github.com/Azure/Enterprise-Scale/tree/main/docs/reference/contoso

Getting the errror:
The client 'live.com# target="_blank" href="mailto:xxx@Stuff .com" title="Email xxx@Stuff .com">xxx@Stuff .com' with object id 'f7fb63c8-c4e1-4c28-89bb-a155fde3f5f9' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/providers/Microsoft.Resources/deployments/NoMarketplace-20210129014453' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed)

prmanhas-MSFT 17,891 Reputation points Microsoft Employee

2021-01-29T10:30:32.517+00:00

@CJ Edwards Can you help me understand what is the current permission or role your account has over subscription?

Thanks
CJ Edwards 1 Reputation point

2021-01-29T22:23:03.41+00:00

I have the following default roles on the free subscription:

Owner
Resource Policy Contributor
User Access Administrator

I created a custom role named 'Deployment Admin' to grant myself the following permissions to the subscription:
Microsoft.Resources/deployments/read
Microsoft.Resources/deployments/write
Microsoft.Resources/deployments/delete
Microsoft.Resources/deployments/cancel/action
Microsoft.Resources/deployments/validate/action
Microsoft.Resources/deployments/whatIf/action
Microsoft.Resources/deployments/exportTemplate/action
Microsoft.Resources/deployments/operations/read
Microsoft.Resources/deployments/operationstatuses/read
Microsoft.Resources/deploymentScripts/read
Microsoft.Resources/deploymentScripts/write
Microsoft.Resources/deploymentScripts/delete
Microsoft.Resources/deploymentScripts/logs/read

I'm also a Global Administrator in Azure AD
prmanhas-MSFT 17,891 Reputation points Microsoft Employee

2021-02-01T12:30:26.873+00:00

@CJ Edwards It seems like you do have required permissions. As this issues need more investigation and live troubleshooting for quicker resolution I would recommend you to contact azure support. If you have a support plan, requesting you to file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.
snehanshu bhaisare 11 Reputation points

2021-03-23T21:57:21.547+00:00

I have the same issue https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/treyresearch/README.md for this template
Jason Hyland 6 Reputation points

2021-04-22T12:06:45.593+00:00

Still seems the same issue
Jamie Pla 6 Reputation points Microsoft Employee

2021-05-18T11:35:51.817+00:00

Please have a look at this blog post and see if it solves your problem
https://www.techielass.com/error-when-deploying-an-azure-landing-zone-template/
Michael Frank 106 Reputation points

2021-08-12T23:43:53.07+00:00
Hi all,

for anybody having the same issue.

@Jim Britt [MSFT] provided the correct answer:
Follow the instructions on: https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md

which state that you need to:

Elevate Access to manage Azure resources in the directory

Grant Access to User at root scope "/" to deploy Enterprise-Scale reference implementation

this is due to Enterprise Scale requiring permission at tenant root scope "/" to be able to configure Management Group and create/move subscription. In order to grant permission at tenant root scope "/", users in "AAD Global Administrators" group can temporarily elevate access, to manage all Azure resources in the directory.

6 answers

Daniel Villamizar 11 Reputation points MVP

2021-02-25T21:07:52.88+00:00

As a Global Administrator in Azure Active Directory (Azure AD), you might not have access to all subscriptions and management groups in your directory.

f you are a Global Administrator, there might be times when you want to do the following actions:

Regain access to an Azure subscription or management group when a user has lost access
Grant another user or yourself access to an Azure subscription or management group
See all Azure subscriptions or management groups in an organization
Allow an automation app (such as an invoicing or auditing app) to access all Azure subscriptions or management groups.

Please into Elevate access for a Global Administrator here:

https://learn.microsoft.com/es-es/azure/role-based-access-control/elevate-access-global-admin
Please sign in to rate this answer.

2 people found this answer helpful.

0 comments No comments
Sign in to comment
Jason Hyland 6 Reputation points

2021-04-22T12:09:51.423+00:00

Appears you also need to assign role;

az role assignment create --scope '/' --role 'Owner' --assignee-object-id $(az ad user show -o tsv --query objectId --id '<replace-me>@<my-aad-domain.com>'
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
Jim Britt [MSFT] 21 Reputation points Microsoft Employee

2021-07-21T16:56:52.177+00:00

Please see the following article that explains the required configuration setup for Azure permissions before you can move forward on this deployment. They detail out the step by steps for configuring Azure permissions for ARM tenant deployments.

https://learn.microsoft.com/en-us/answers/questions/250370/user-doesn39t-have-permission-to-create-deployment.html
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
Sudeep 31 Reputation points

2021-08-12T15:56:27.127+00:00

Even i have the required permission, i am really not sure what is happening..

I am trying to use the following example.. https://github.com/Azure/Enterprise-Scale/tree/main/docs/reference/contoso

any idea
Please sign in to rate this answer.
Paul N 0 Reputation points

2023-03-30T17:06:52.79+00:00

I have owner permissions to a brand new tenant root with nothing else deployed and I see an arm template error

You don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action'.

Jim Britt [MSFT] 21 Reputation points Microsoft Employee

2023-03-30T17:26:28.06+00:00

For those that didn't see the feedback earlier in this conversation,

Michael Frank indicated the below. Paul N please take a look.

Hi all,

for anybody having the same issue.

@Jim Britt [MSFT] provided the correct answer:
Follow the instructions on: https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md

which state that you need to:

Elevate Access to manage Azure resources in the directory

Grant Access to User at root scope "/" to deploy Enterprise-Scale reference implementation

this is due to Enterprise Scale requiring permission at tenant root scope "/" to be able to configure Management Group and create/move subscription. In order to grant permission at tenant root scope "/", users in "AAD Global Administrators" group can temporarily elevate access, to manage all Azure resources in the directory.
Sign in to comment
Jim Britt [MSFT] 21 Reputation points Microsoft Employee

2021-08-12T23:20:32.377+00:00

Apologies, somehow my link didn't come through when I posted earlier. Has everyone followed this process to ensure you are setup properly?

https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md
Please sign in to rate this answer.

2 people found this answer helpful.

0 comments No comments
Sign in to comment