Unable to Deploy LAPS app on Azure AD

Question

Hello all,

I am trying to Deploy a LAPS app.

I've Created the APP in my Azure Active Directory Portal, Now im trying to Deploy the app But I recieve the following error. (Picture attached).

I've tried to give some permissions in the API Permissions but it doesn't seem to help.

Answer 1

Hi aacc ,

I understand that you are trying to deploy a LAPS app and are receiving the following error:

"The client 'xxxxxxx' with object id 'xxxxxxx' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/write' over scope '/subscriptions/xxxx' or the scope is invalid.

You are receiving this error because the application needs to have RBAC access on the subscription itself (Azure roles) rather than just Azure AD roles and API permissions. See: Differences between Azure roles and Azure AD roles

You need to assign a role to the application at the Subscription scope. (To do this, your user account must also have the proper permission on the subscription.) In your case I believe the Contributor role should be sufficient for your needs. Steps to assign the role:

1. In the Azure portal, go to Subscriptions.
2. Search for and select the Subscription for which you want to assign the role.
3. Select Access Control
4. Select Add role assignment and select the role (i.e. Contributor)
5. Select User, group, or Service principal and select the application

Let me know if this helps and if you face any issues.

-

If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who might be researching similar questions.