Permissions Issues

Question

Hi, we are facing permissions issues with our Azure services. We can not deploy our builds to webapp, can not see application insights, environment variables under the wepapp and many more.

See the following snapshots,\

When try to load environment variables

When try to deploy build using Advance tools under webappApplication insights

I have checked and found that FULL DENY ASSIGNMENT role is applied, see the following

I have opened the case with the Azure but the support engineer last reply was, the case has been escalated to the specialist. `I don't know what specialization is needed here that we are facing the issue since a week.

Can anyone here look into it and help me resolving the issue.

Thanks

Answer 1

Hi Asad,

Thank you @Jerald Felix for providing a clear explanation of the FULL DENY ASSIGNMENT issue. I’d like to include a few additional points to further clarify the resolution process and suggest more options while we wait for support.

The issues you're experiencing with Application Insights, environment variables, WebApp deployments, and other Azure services are due to a Microsoft-enforced deny assignment called:

"[UnusualActivity] Full Deny Assignment on All Users Added"

This security measure is automatically applied by the system at the root level (either subscription or management group) to block all actions when unusual activity is detected, such as rapid resource creation, suspicious API usage, or behavior that may indicate abuse. This often occurs in free or student accounts, or during the initial account setup.

Key points from your screenshots:

• Deny assignment details: Applied to "All principals" (all users), with no exclusions, at the "Root (inherited)" scope. This blocks "allow" permissions granted by roles such as Owner or Contributor.
• Error examples:
  • Application Insights: Denied access to Microsoft.Insights/components/.../read because of the deny assignment.
  • Environment variables: Read/Write permissions are required but are blocked.
  • Deployment: Shows "no subscriptions associated" since deny assignments override access.
  • This is a Microsoft-managed deny assignment, not a custom role or lock, so it's read-only for end-users.

Deny assignments take precedence over allow-based role assignments and cannot be bypassed unless removed. They are intended for high-security scenarios, such as compliance or fraud prevention. (Reference: Microsoft Learn documentation on deny assignments.)

Immediate Steps to Verify the Scope

While waiting for support, you can check the deny assignment details:

1. Azure Portal
   • Navigate to Subscriptions > Your Subscription > Access Control (IAM) > Deny Assignments tab
   • Search for "UnusualActivity" or your user/group object ID
   • Record the assignment ID, scope, and any excluded principals
2. Azure CLI / PowerShell : If you still have access or can use a different account:

      
      az role assignment list --assignee <your-user-id> --include-deny
   

      
      Get-AzDenyAssignment -Scope "/"
      
   

Since this deny is enforced by Microsoft and not created by a user, you won't be able to remove it yourself—attempts through the portal, CLI, or PowerShell will result in authorization errors. The only way to resolve this is through Azure Support, which you've already started (good step—escalation to a specialist is standard for these cases). Here’s a clear resolution plan to share with your customer:

1. Escalate and Follow Up on the Support Case
   • Reason: "UnusualActivity" flags require review by specialists due to security concerns. These are usually resolved within 1–3 business days after escalation, sometimes faster with clear supporting evidence.
   • Customer Steps:
   • Log in to the Azure Support Portal.
   • Locate the open case (search by title or ID; ask the customer to share the case number for coordination).
   • Reply to the latest engineer’s message with:
     • Screenshots showing the deny assignment (from IAM > Deny assignments).
     • Error details (like the full JSON from failed API calls, if available via browser dev tools).
     • Proof of legitimate use: project description, confirmation of no suspicious activity (for example, “This is for internal development/testing; no external scripts or bulk creations”).
     • Request: “Please review and remove the [UnusualActivity] Full Deny Assignment (ID: [insert ID from portal]) after verification.”
   • If there’s no response within 24 hours, create a new severity B (medium impact) case under Technical > Azure Subscriptions > RBAC and role assignments, referencing the original case.
   • Expected Result: Support will verify the account, remove the deny, and restore full access. There is no charge for this review.
2. Temporary Solutions While Awaiting Resolution (Limited):

• Use a New or Alternate Account: If possible, create a second Azure AD user within the same tenant and assign it the Owner role before the deny takes effect (though this may not work in this situation, it’s worth trying):
  1. Go to Azure Portal > Microsoft Entra ID > Users > + New user (choose Member type, set up auto-password).
  2. Assign the Owner role: Subscriptions > Your subscription > IAM > + Add role assignment > Owner > select the new user.
  3. Log in as the new user and check access (for example, try deploying to a Web App).
  4. Note: If the deny is set at the tenant level, this may not work. This is not a permanent solution.
• Switch to Pay-As-You-Go: Consider moving to a free trial account (with $200 credit) to continue working without interruption. If possible, export your resources using ARM templates.
• Avoid Triggers: Temporarily pause any automation or scripts that could have caused the issue, such as those making a high number of API calls.

1. Post-Resolution Prevention
   • Keep an eye on unusual activity alerts in Azure Monitor > Alerts.
   • Assign least-privilege roles, such as Contributor for developers instead of Owner.
   • Turn on Azure AD Identity Protection to help detect threats proactively.
   • Review IAM regularly and configure alerts for any new deny assignments.

Reference:

https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments?tabs=azure-portal

https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request

https://azure.microsoft.com/en-us/pricing/purchase-options/azure-account?icid=azurefreeaccount

Answer 2

Hi Asad,

Thanks for your question sorry to hear about the ongoing permissions issues with your Azure App Service (e.g., deployments, Application Insights, environment variables). The "FULL DENY ASSIGNMENT" is an Azure RBAC deny assignment, which blocks actions (like write/deploy) even if your role assignments grant access. These are system-created (e.g., via Azure Policy, managed apps, or deployment stacks) and take precedence over allows, causing "access denied" errors. Since you've already opened a support case and it's escalated, that's the right path—specialists handle deny assignment removals when they're locked. In the meantime, here's how to troubleshoot and potentially resolve it.

Steps to Identify and Resolve

List Deny Assignments:

In Azure Portal, go to your resource (e.g., Web App or Resource Group) > Access control (IAM) > Deny assignments tab.

  Look for assignments with "NotActions" or "DataActions" that block your operations (e.g., "Microsoft.Web/sites/write" for deployments).
  
     Note the ID (e.g., starting with "deny-") and any linked policies or principals.
     
     **Check for Sources of Deny Assignments**:
     
        **Azure Policy**: Go to **Policy** > **Assignments** and search for policies with "Deny" effect that apply to your scope (e.g., restricting deployments). If found, modify or remove the policy if you have permissions.
        
           **Managed Applications/Deployment Stacks**: If your resources were created via managed apps or Bicep stacks, deny assignments protect them. Delete the managed app/stack to remove the deny (but back up first).
           
              **Subscription or Management Group Level**: Elevate access (Global Admin) to check higher scopes: Azure AD > Enterprise applications or Subscriptions > IAM > Deny assignments.
              
              **Temporary Workarounds**:
              
                 **Elevate Access**: If you're a Global Admin, enable elevated access in Azure AD to manage deny assignments at root scope (/).
                 
                    **New Resource Group**: As a test, create a new RG without the deny assignment and migrate your Web App there (use Azure CLI: **`az webapp up`** or portal export).
                    
                       **RBAC Review**: Ensure your account has "Owner" or "Contributor" at the RG level, but remember denies override these.
                       
                       **If You Can't Remove It**:
                       
                          Deny assignments can't be directly created/edited by users—they're Azure-managed. Escalate via your support ticket with deny assignment IDs and screenshots for faster resolution.
                          
                             Reference docs: [Troubleshoot Azure RBAC](https://learn.microsoft.com/en-us/azure/role-based-access-control/troubleshooting) and [Deny Assignments](https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments).
                             

This should help pinpoint the block often it's a policy or managed resource causing it. If you share the deny assignment ID or more details, I can refine this. Hang in there; support should resolve it soon!

Best Regards,

Jerald Felix