This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 85%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKW%3C/text%3E%3C/svg%3E)
We're getting the following error 'The client 'f774a339-7628-49ff-9829-49c522b6d49c' with object id 'f774a339-7628-49ff-9829-49c522b6d49c' does not have the authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/read' over scope '/subscriptions/3535caf0-dd76-4e49-8666-cdbb6f15aa55' or the scope is invalid. If access was recently granted, please refresh your credentials.' We've already given a Contributor role and added a few custom roles such as:
1.'Microsoft.Authorization//write', 2.'Microsoft.Authorization//read', 3.'Microsoft.Resources/subscriptions/', 4.'Microsoft.Resources/subscriptions/resourceGroups/', 5.'Microsoft.Resources/subscriptions/resourcegroups/resources/', 6.'Microsoft.Resources/subscriptions/resources/', 7.'Microsoft.Resources/subscriptions/locations/*'
Still facing the same issue.
If you go the subscription and Access Control (IAM ), "Check Access" , what does is show for access for that security principal you gave the permissions to?
I gave permissions to specific user, by selecting User,Group and service principal.
Hi, can you verify what access it has in the subscription?
I've provided Contributor role to the user, as shown in the image.
Also I've created custom roles, as mentioned in above message.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 44%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET5%3C/text%3E%3C/svg%3E)
In my case the search process not find my profile.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 64%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYI%3C/text%3E%3C/svg%3E)
In addition, make sure you have the right subscription context within your tenant. You can confirm and ensure the subscription is indeed the correct one from the overview page of the SQL server resource in Azure portal. Run the command below to set your context.
Set-AzContext -Subscription 3535caf0-dd76-4e49-8666-cdbb6f15aa55
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 27%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Setting the subscription in the context was what finally worked for me.
az account set --subscription "<subId>" if using Bash, otherwise see Yinka Idowu's 7/24/24 comment if using PowerShell: Set-AzContext -Subscription <subId>
The error is not related to the user but to the application. Kindly look for application/SPN name with client ID: 'f774a339-7628-49ff-9829-49c522b6d49c.
Navigate to the subscription > Choose the subscription > Add Role assignment > Reader > assign to the application SPN:
Thanks,
Akshay Kaushik
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 39%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAI%3C/text%3E%3C/svg%3E)
Kudos! Worked like a charm!
Thank you for taking time to share your feedback.
Since we were able to clarify the response in the above answer, I request that you would "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.
Thanks,
Akshay Kaushik
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 5%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
I think I'm having the same issue even though I am using Azure Global Admin user in my subscription. Using the same user, I never had this issue before. Now, I even cannot edit/create/delete any resources in my subscription.
I attached my user roles in the following screenshot:
Any idea?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 35%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
This works. Just assign the service principal the role of reader and the api call works like a charm.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 80%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
make sure you are in the right subscription. after you login with "Connect-AzAccount" go to "Select-AzSubscription -SubscriptionName 'X'
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 70%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
I am experiencing the same issue as mentioned above. I am the owner of the project, but I don’t understand why I don’t have any permissions to remove in deny assignment and I also don't have permission to add new role too.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 23%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
Following the steps here helped me "https://learn.microsoft.com/en-us/azure/cosmos-db/managed-identity-based-authentication?tryIt=true&source=docs#code-try-1". I had to add a custom role from Azure Command shell to get access