User doesn't have permission to create deployment ARM template in Azure

Question

Using the 'Deploy to Azure' ARM template link from: https://github.com/Azure/Enterprise-Scale/tree/main/docs/reference/contoso

Getting the errror:
The client 'live.com# target="_blank" href="mailto:xxx@Stuff .com" title="Email xxx@Stuff .com">xxx@Stuff .com' with object id 'f7fb63c8-c4e1-4c28-89bb-a155fde3f5f9' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/providers/Microsoft.Resources/deployments/NoMarketplace-20210129014453' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed)

Answer 1

Hi all,

for anybody having the same issue.

@Jim Britt [MSFT] provided the correct answer:
Follow the instructions on: https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md

which state that you need to:

1. Elevate Access to manage Azure resources in the directory
2. Grant Access to User at root scope "/" to deploy Enterprise-Scale reference implementation

this is due to Enterprise Scale requiring permission at tenant root scope "/" to be able to configure Management Group and create/move subscription. In order to grant permission at tenant root scope "/", users in "AAD Global Administrators" group can temporarily elevate access, to manage all Azure resources in the directory.

Answer 2

As a Global Administrator in Azure Active Directory (Azure AD), you might not have access to all subscriptions and management groups in your directory.

f you are a Global Administrator, there might be times when you want to do the following actions:

Regain access to an Azure subscription or management group when a user has lost access
Grant another user or yourself access to an Azure subscription or management group
See all Azure subscriptions or management groups in an organization
Allow an automation app (such as an invoicing or auditing app) to access all Azure subscriptions or management groups.

Please into Elevate access for a Global Administrator here:

https://learn.microsoft.com/es-es/azure/role-based-access-control/elevate-access-global-admin

Answer 3

Apologies, somehow my link didn't come through when I posted earlier. Has everyone followed this process to ensure you are setup properly?

https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md

Answer 4

Appears you also need to assign role;

az role assignment create --scope '/' --role 'Owner' --assignee-object-id $(az ad user show -o tsv --query objectId --id '<replace-me>@<my-aad-domain.com>'

Answer 5

Please see the following article that explains the required configuration setup for Azure permissions before you can move forward on this deployment. They detail out the step by steps for configuring Azure permissions for ARM tenant deployments.

https://learn.microsoft.com/en-us/answers/questions/250370/user-doesn39t-have-permission-to-create-deployment.html