User don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action

Rabia Mehta 11 Reputation points
2021-06-13T06:29:32.047+00:00

Whenever a new user added to the directory tries to deploy custom azure templates, they get the following validation error - User don't have authorization to perform action 'Microsoft.Resources/deployments/validate/action

Following roles are already granted -

  1. Global Administrator access in Azure AD
  2. Owner role assignment at the subscription level
  3. Contributor access at management Group level

Also, tried elevating access but still facing same issue.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
666 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,459 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2021-06-14T22:52:33.5+00:00

    If you have already elevated the access and granted the Owner role, another thing to confirm is that you have granted permission to do ARM template deployment at the tenant root (/) scope and completed the prerequisites described here: https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md

    2 people found this answer helpful.
  2. Ezequiel Gustavo Muñoz 56 Reputation points
    2022-11-02T14:03:20.173+00:00

    hi, i had the same problem but i fix with the next commands in BASH (inside Azure Portal). Only 2 commands. Only copy and paste the BOLD commands. Regards.

    assign Owner role at Tenant root scope ("/") as a User Access Administrator to current user (gets object Id of the current user (az login))

    az role assignment create --scope '/' --role 'Owner' --assignee-object-id $(az ad signed-in-user show --query id --output tsv) --assignee-principal-type User

    (optional) assign Owner role at Tenant root scope ("/") as a User Access Administrator to service principal (set spn_displayname to your service principal displayname)

    spn_displayname='<ServicePrincipal DisplayName>'
    az role assignment create --scope '/' --role 'Owner' --assignee-object-id $(az ad sp list --display-name $spn_displayname --query '[].{objectId:objectId}' -o tsv) --assignee-principal-type ServicePrincipal

    1 person found this answer helpful.
    0 comments
  3. Omar Jiménez Gómez 1 Reputation point
    2021-06-23T19:22:42.05+00:00

    Hi @Marilee Turscak-MSFT ,

    Following the steps here: https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md

    I was able to complete step 1 but step 2 is not working:

    PS /home/omar> Set-AzContext -Tenant 'xxxxx-xxxx-xxxx-95bxxxx9-cc176afb6e2a'

    Name Account SubscriptionName Environment TenantId

    Visual Studio Enterprise Subscription (… xxxx@Stuff .com Visual Studio Enterprise… AzureCloud xxxx-xxxx-xxxx-95bxxxx9-cc176afb6e2a

    PS /home/omar> $user = Get-AzADUser -UserPrincipalName (Get-AzContext).Account
    ****PS /home/omar> New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id
    New-AzRoleAssignment: Cannot validate argument on parameter 'ObjectId'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.****