If you have already elevated the access and granted the Owner role, another thing to confirm is that you have granted permission to do ARM template deployment at the tenant root (/) scope and completed the prerequisites described here: https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md
User don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action
Whenever a new user added to the directory tries to deploy custom azure templates, they get the following validation error - User don't have authorization to perform action 'Microsoft.Resources/deployments/validate/action
Following roles are already granted -
- Global Administrator access in Azure AD
- Owner role assignment at the subscription level
- Contributor access at management Group level
Also, tried elevating access but still facing same issue.
3 answers
Sort by: Most helpful
-
Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
2021-06-14T22:52:33.5+00:00 -
Ezequiel Gustavo Muñoz 56 Reputation points
2022-11-02T14:03:20.173+00:00 hi, i had the same problem but i fix with the next commands in BASH (inside Azure Portal). Only 2 commands. Only copy and paste the BOLD commands. Regards.
assign Owner role at Tenant root scope ("/") as a User Access Administrator to current user (gets object Id of the current user (az login))
az role assignment create --scope '/' --role 'Owner' --assignee-object-id $(az ad signed-in-user show --query id --output tsv) --assignee-principal-type User
(optional) assign Owner role at Tenant root scope ("/") as a User Access Administrator to service principal (set spn_displayname to your service principal displayname)
spn_displayname='<ServicePrincipal DisplayName>'
az role assignment create --scope '/' --role 'Owner' --assignee-object-id $(az ad sp list --display-name $spn_displayname --query '[].{objectId:objectId}' -o tsv) --assignee-principal-type ServicePrincipal -
Omar Jiménez Gómez 1 Reputation point
2021-06-23T19:22:42.05+00:00 Following the steps here: https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md
I was able to complete step 1 but step 2 is not working:
PS /home/omar> Set-AzContext -Tenant 'xxxxx-xxxx-xxxx-95bxxxx9-cc176afb6e2a'
Name Account SubscriptionName Environment TenantId
Visual Studio Enterprise Subscription (… xxxx@Stuff .com Visual Studio Enterprise… AzureCloud xxxx-xxxx-xxxx-95bxxxx9-cc176afb6e2a
PS /home/omar> $user = Get-AzADUser -UserPrincipalName (Get-AzContext).Account
****PS /home/omar> New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id
New-AzRoleAssignment: Cannot validate argument on parameter 'ObjectId'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.****