Landing zone template deployment fails -Directory. You don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action'.

Tony Mosunmade 20 Reputation points

Why can't I deploy the template into an environment even though I have Global Administration privileges? What Permission set is needed to deploy an Arms Template?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,171 questions
{count} votes

Accepted answer
  1. James Hamil 22,886 Reputation points Microsoft Employee

    Hi @Tony Mosunmade , Global Administrator privileges in Azure Active Directory do not automatically grant permission to deploy ARM templates. To enable template deployments at the tenant scope, the Global Administrator must perform the following steps:

    1. Elevate account access so the Global Administrator can assign roles. For more information, see Elevate access to manage all Azure subscriptions and management groups.
    2. Assign Owner or Contributor role to the principal that needs to deploy the templates. You can use the following commands:

    For Azure PowerShell:

    New-AzRoleAssignment -SignInName "[userId]" -Scope "/" -RoleDefinitionName "Owner"

    For Azure CLI:

    az role assignment create --assignee "[userId]" --scope "/" --role "Owner"

    After completing these steps, the principal will have the required permissions to deploy the ARM template.

    Please let me know if you have any questions and I can help you further.

    If this answer helped you please mark it as "Verified" so other users can reference it.

    Thank you,


    1 person found this answer helpful.
    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Tony Mosunmade 20 Reputation points

    I have checked the permissions on the Subscription and the Resource group and double-checked that the Subscription is properly Linked with the Tennant and that Azure Active Directory is also associated with the Tennant. And still no success yet.

    0 comments No comments

  2. RevelinoB 2,775 Reputation points

    Hi Tony, If you have already checked the permissions on the Subscription and Resource group, and have confirmed that the Subscription is properly linked with the tenant and that Azure Active Directory is associated with the tenant, there may be other reasons why you cannot deploy the ARM template. I will specify some additional checks you can do: Check the deployment logs: You can review the deployment logs in the Azure Portal to see if there are any error messages that could explain why the deployment failed. Verify the ARM template syntax: Ensure that the ARM template syntax is correct and adheres to the Azure Resource Manager template specification. The Azure Resource Manager Template Validator tool can help you validate the syntax of the ARM template. Verify the ARM template parameters: Make sure that the ARM template parameters are correctly configured and match the configuration of the resources you are deploying. Verify the current state of the Azure resources: Confirm that the resources you are attempting to deploy do not already exist in the resource group or have been deleted. Trying to deploy resources that already exist can cause deployment failures. Double check for Azure service outages: See if there are any service outages impacting the Azure services you are trying to deploy. You can check the Azure Status page for any service issues that could be causing deployment failures. I hope this helps with your issue?

  3. ourmsdnadmin 0 Reputation points

    I'm running into same issue here, I'm GA of the tenant and I have Owner role at default Tenant Root Group. I also created custom role with 'Microsoft.Resources/deployments/validate/action'. and I assigned to my account.

    I'm trying to run ARM template to create another MG under Tenant root group per this link:

    but I get this error:

    You don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action'.

    0 comments No comments