Authorization error from deploying management group to tenant using az cli with owner/contributor role.

Olawale, Ajayi eHS 0 Reputation points

Below is the error I got trying to deploy new management group.

I have contributor role on my service principle.

{"code": "AuthorizationFailed", "message": "The client '' with object id '' does not have authorization to perform action 'Microsoft.Management/managementGroups/Microsoft.Management/UAT/Microsoft.Resources/testuat/action' over scope '/providers/Microsoft.Management/managementGroups/providers/Microsoft.Management/managementGroups/UAT/providers/Microsoft.Resources/deployments/testuat/validate' or the scope is invalid. If access was recently granted, please refresh your credentials."}

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,858 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
806 questions
Microsoft Deployment Toolkit
Microsoft Deployment Toolkit
A collection of Microsoft tools and documentation for automating desktop and server deployment. Previously known as Microsoft Solution Accelerator for Business Desktop Deployment (BDD).
840 questions
Microsoft Configuration Manager
{count} votes

1 answer

Sort by: Most helpful
  1. Prashant Kumar 75 Reputation points Microsoft Employee

    Hi Ajayi,

    To create deployment at any scope, you would need permissions to create and manage deployment at that scope. So, if you are deploying at the tenant level, you need deployment permissions at tenant scope. Contributor has that permission.

    As you are creating MG at tenant scope, contributor role would need be enough at tenant scope. You need role.

    0 comments No comments