Not enough permissions to deploy Azure Resource Manager

Question

Not enough permissions to deploy Azure Resource Manager

Anonymous

I am trying to integrate Azure APIM with Stripe following this link: https://github.com/microsoft/azure-api-management-monetization/blob/main/documentation/stripe-deploy.md
However, I am not able to deploy 'Deploy the Azure monetization resources' step as I run into an issue when I am trying to deploy to Azure. User's image

<code style="white-space: pre-wrap"><div>Deployment failed with multiple errors: 'Authorization failed for template resource '8f4e1cf9-9344-5889-ad33-1c15dd633351' of type 'Microsoft.Authorization/roleAssignments'. The client '******@aem.eco' with object id '9ec059a9-e8d6-4f06-95f6-614364e071fd' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/fe1d7bd7-c1cc-4c82-b266-c0f860f94fea/resourceGroups/apim-resource/providers/Microsoft.Authorization/roleAssignments/8f4e1cf9-9344-5889-ad33-1c15dd633351'.:Authorization failed for template resource 'apim-stripe-demo-plan' of type 'Microsoft.Web/serverfarms'. The client '******@aem.eco' with object id '9ec059a9-e8d6-4f06-95f6-614364e071fd' does not have permission to perform action 'Microsoft.Web/serverfarms/write' at scope '/subscriptions/fe1d7bd7-c1cc-4c82-b266-c0f860f94fea/resourceGroups/apim-resource/providers/Microsoft.Web/serverfarms/apim-stripe-demo-plan'.:Authorization failed for template resource 'apim-stripe-demo-app' of type 'Microsoft.Web/sites'. The client '******@aem.eco' with object id '9ec059a9-e8d6-4f06-95f6-614364e071fd' does not have permission to perform action 'Microsoft.Web/sites/write' at scope '/subscriptions/fe1d7bd7-c1cc-4c82-b266-c0f860f94fea/resourceGroups/apim-resource/providers/Microsoft.Web/sites/apim-stripe-demo-app'.:Authorization failed for template resource 'apim-stripe-demo-app/appsettings' of type 'Microsoft.Web/sites/config'. The client '******@aem.eco' with object id '9ec059a9-e8d6-4f06-95f6-614364e071fd' does not have permission to perform action 'Microsoft.Web/sites/config/write' at scope '/subscriptions/fe1d7bd7-c1cc-4c82-b266-c0f860f94fea/resourceGroups/apim-resource/providers/Microsoft.Web/sites/apim-stripe-demo-app/config/appsettings'.'</div><br> (Code: InvalidTemplateDeployment)</code>
This is the error I am running into. Could you please tell me what the admin of this account should do to give me enough permissions.
This could be:

A list of instructions they need to follow or
A powershell script to grant mmyuser id the access I need

Anonymous

2025-08-13T10:55:02.0433333+00:00
Hi Mansahaj Popli,

Thanks for bringing your question to Microsoft Q&A.

Thanks for sharing the updated error. This is essentially the same issue as you faced earlier, but now it’s clear that the deployment is still failing on the four operations that was mentioned in error Microsoft.Authorization/roleAssignments/write, Microsoft.Web/sites/config/write, Microsoft.Web/sites/write , Microsoft.Web/serverfarms/write

Why it fails :

Role Assignment requires Owner-The ARM template requires creating a role assignment, which only the Owner role can perform, Contributor permissions are insufficient.

Propagation Delay-Even if your admin recently added Owner or Contributor roles, it can take 10–15 minutes to propagate.

Resource Providers-If Microsoft.Authorization or Microsoft.Web providers are not registered, deployment fails.

Scope mismatch-If your Owner/Contributor role is only at the resource group, but the template tries to create a role assignment at subscription scope, it will fail

Recommended actions to resolve the issue:

1.Ask admin to give you Owner at subscription scope temporarily

This covers:

Role assignments

App Service Plan creation

Web App creation

App settings updates

2.Ensure resource providers are registered

Run in PowerShell or Azure CLI:

Register-AzResourceProvider -ProviderNamespace Microsoft.Authorization

Register-AzResourceProvider -ProviderNamespace Microsoft.Web

Refer: https://learn.microsoft.com/en-us/powershell/module/az.resources/register-azresourceprovider?view=azps-14.3.0

3.Wait 10–15 minutes for permission propagation and Retry deployment

Now the template should succeed without permission errors

4.Using power shell

Connect to Azure

Connect-AzAccount

Variables

$subscriptionId = ""

$resourceGroupName = ""

$userObjectId = "" # Your Object ID

Select the subscription

Select-AzSubscription -SubscriptionId $subscriptionId

Step 1: Assign Owner role at subscription level (required for role assignments)

New-AzRoleAssignment -ObjectId $userObjectId -RoleDefinitionName "Owner" -Scope "/subscriptions/$subscriptionId"

Step 2: Ensure required resource providers are registered

Register-AzResourceProvider -ProviderNamespace Microsoft.Authorization

Register-AzResourceProvider -ProviderNamespace Microsoft.Web

Write-Output "Permissions assigned and resource providers registered. Deployment should now succeed."

I hope the provided guidance is helpful; if not, please feel free to ask any further questions here, and I’ll be happy to assist.

Answer accepted by question author

Vinodh247-1375 43,101 Volunteer Moderator

Hi ,

Thanks for reaching out to Microsoft Q&A.

The deployment is failing because your account does not have the permissions to:

Assign roles (Microsoft.Authorization/roleAssignments/write)

Create or update App Service Plans (Microsoft.Web/serverfarms/write)

Create or update App Services (Microsoft.Web/sites/write)

Update App Service settings (Microsoft.Web/sites/config/write)

In Azure, these actions require Contributor or Owner permissions at the subscription or resource group level (and in the case of role assignments, you also need User Access Administrator rights).

Admin should:

Grant you the required roles at the right scope
- Scope: Either at the subscription level or at the specific resource group (apim-resource) where you are deploying.
- Roles required:
- Contributor - lets you create/update resources like App Service Plans, App Services, configs.
- User Access Administrator - lets you assign roles during the deployment.
Contributor - required to create/update Azure resources during the ARM template deployment.
User Access Administrator - required because your template is also creating role assignments for service principals. Without this, deployment will fail even if you have Contributor.

Option 1 -> Azure Portal

Go to Azure Portal > Subscriptions > select the subscription you are using.
In the left menu, click Access control (IAM).
Click Add > Add role assignment.
Search for and assign:
- Contributor role to your user (******@aem.eco)
- User Access Administrator role to your user
Set Scope to:
- Subscription level (best if you will do multiple deployments), or
- Resource group level (apim-resource) if they want to limit your access.

Option 2 -> Using Powershell

Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

0 comments

1 additional answer

Your answer

Answer 1

<code id='' style='white-space:pre-wrap'><div>Deployment failed with multiple errors: 'Authorization failed for template resource '9f1fc44c-58b0-5662-a503-7099cd3dcfd1' of type 'Microsoft.Authorization/roleAssignments'. The client '******@aem.eco' with object id '9ec059a9-e8d6-4f06-95f6-614364e071fd' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/fe1d7bd7-c1cc-4c82-b266-c0f860f94fea/resourceGroups/apim-resource/providers/Microsoft.Authorization/roleAssignments/9f1fc44c-58b0-5662-a503-7099cd3dcfd1'.:Authorization failed for template resource 'stripe-for-apim-plan' of type 'Microsoft.Web/serverfarms'. The client '******@aem.eco' with object id '9ec059a9-e8d6-4f06-95f6-614364e071fd' does not have permission to perform action 'Microsoft.Web/serverfarms/write' at scope '/subscriptions/fe1d7bd7-c1cc-4c82-b266-c0f860f94fea/resourceGroups/apim-resource/providers/Microsoft.Web/serverfarms/stripe-for-apim-plan'.:Authorization failed for template resource 'stripe-for-apim-app' of type 'Microsoft.Web/sites'. The client '******@aem.eco' with object id '9ec059a9-e8d6-4f06-95f6-614364e071fd' does not have permission to perform action 'Microsoft.Web/sites/write' at scope '/subscriptions/fe1d7bd7-c1cc-4c82-b266-c0f860f94fea/resourceGroups/apim-resource/providers/Microsoft.Web/sites/stripe-for-apim-app'.:Authorization failed for template resource 'stripe-for-apim-app/appsettings' of type 'Microsoft.Web/sites/config'. The client '******@aem.eco' with object id '9ec059a9-e8d6-4f06-95f6-614364e071fd' does not have permission to perform action 'Microsoft.Web/sites/config/write' at scope '/subscriptions/fe1d7bd7-c1cc-4c82-b266-c0f860f94fea/resourceGroups/apim-resource/providers/Microsoft.Web/sites/stripe-for-apim-app/config/appsettings'.'</div></code></br> (Code: InvalidTemplateDeployment)

I tried deploying again after the admin gave me permissions but it is still not working

Share via

Not enough permissions to deploy Azure Resource Manager

1 additional answer

Your answer