How do I deploy the Landing Zone accelerator with proper authorization within a learn module using a personal Microsoft account?

Question

How do I deploy the Landing Zone accelerator with proper authorization within a learn module using a personal Microsoft account?

Arthur Simbarashe Nyikayaramba 5

I am trying to deploy the Landing Zone accelerator within a AZ 305 learn module using my personal Microsoft account with the default directory (personal_email.onmicrosoft.com. I created separate subscriptions but I am getting an error that reads: You don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action'. I am the owner of the account. I proceeded to upgrade my Azure subscription account to a Pay-As-You-Go to no joy. How can I deploy the LZ accelerator successfully from the module? The specific unit is AZ 305: Accelerate cloud adoption with the Microsoft Cloud Adoption Framework for Azure - Choose the best Azure landing zone.... - unit 8.

AmaranS 7,270 Reputation points Microsoft External Staff

2024-07-05T01:55:45.4766667+00:00

Hi Arthur Simbarashe Nyikayaramba,

Just checking in to see if you had got a chance to see the previous response. To benefit the community, find the right answers, please do mark the post which was helpful by clicking on Accept Answer. Has your issue been resolved? If you are still experiencing the problem, please inform us. We are happy to help you.
AmaranS 7,270 Reputation points Microsoft External Staff

2024-07-06T01:50:37.43+00:00

Hi Arthur Simbarashe Nyikayaramba,

Just checking in to see if you had got a chance to see the previous response. To benefit the community, find the right answers, please do mark the post which was helpful by clicking on Accept Answer. Has your issue been resolved? If you are still experiencing the problem, please inform us. We are happy to help you.
Devesh 80 Reputation points

2024-11-27T00:06:06.4266667+00:00
I too have same issue while following learn module while preparing for AZ-305 but the above solution does not provide resolution. Below is the scenario in my case:

I am the Global Administrator listed in my default Tenant along with Azure DevOps Administrator and Application Developer Roles. (I think this doesn't matter but mentioning it here for completeness.)

I have two Subscriptions with Pay-as-you-Go. In both subscriptions I have role set as Owner and User Access Administrator. I don't have any deny Roles setup neither I have any Classic Administrator Role. (PS: I would also like to know exact role that is required to work for Landing Zone Accelerator so that I can avoid setting Owner Access.)

I have Signed Out and Logged back in to ensure that my credentials are refreshed.

Ensured that in Policy I don't have any blocking policy. After following all these steps I am still getting the same Error Message: "You don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action'." Any suggestions on this as I am stuck on this for last 2 days.

2 answers

Your answer

AmaranS 7,270 Reputation points Microsoft External Staff

2024-07-05T01:55:45.4766667+00:00

Hi Arthur Simbarashe Nyikayaramba,

Just checking in to see if you had got a chance to see the previous response. To benefit the community, find the right answers, please do mark the post which was helpful by clicking on Accept Answer. Has your issue been resolved? If you are still experiencing the problem, please inform us. We are happy to help you.
AmaranS 7,270 Reputation points Microsoft External Staff

2024-07-06T01:50:37.43+00:00

Hi Arthur Simbarashe Nyikayaramba,

Just checking in to see if you had got a chance to see the previous response. To benefit the community, find the right answers, please do mark the post which was helpful by clicking on Accept Answer. Has your issue been resolved? If you are still experiencing the problem, please inform us. We are happy to help you.
Devesh 80 Reputation points

2024-11-27T00:06:06.4266667+00:00

I too have same issue while following learn module while preparing for AZ-305 but the above solution does not provide resolution. Below is the scenario in my case:

I am the Global Administrator listed in my default Tenant along with Azure DevOps Administrator and Application Developer Roles. (I think this doesn't matter but mentioning it here for completeness.)

I have two Subscriptions with Pay-as-you-Go. In both subscriptions I have role set as Owner and User Access Administrator. I don't have any deny Roles setup neither I have any Classic Administrator Role. (PS: I would also like to know exact role that is required to work for Landing Zone Accelerator so that I can avoid setting Owner Access.)

I have Signed Out and Logged back in to ensure that my credentials are refreshed.

Ensured that in Policy I don't have any blocking policy. After following all these steps I am still getting the same Error Message: "You don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action'." Any suggestions on this as I am stuck on this for last 2 days.

Answer 1

Hi Arthur Simbarashe Nyikayaramba,

Thank you for asking this question on the Microsoft Q&A Platform.

To rectify the issue, kindly proceed with the following steps:

Before you deploy the Azure landing zone accelerator, you need to create two Azure subscriptions: A networking subscription to host networking & connectivity assets and an identity subscription to host identity and access management assets.

Ensure that your personal Microsoft account (associated with your default directory like personal_email.onmicrosoft.com) has the necessary Azure role assignments. As you mentioned you are the owner, verify that this role has sufficient permissions. Typically, the Owner role should allow all actions by default, but sometimes custom RBAC (Role-Based Access Control) configurations or policy assignments can restrict specific actions.

Since you've already upgraded your Azure subscription to Pay-As-You-Go, ensure that this subscription is the one you are using in your Azure portal when attempting the deployment. Sometimes, there might be multiple subscriptions and the context could be set to a different subscription than the one you upgraded.

Additionally,consider using a free Azure trial as it provides full access to Azure features, allowing you to deploy the LZ accelerator for learning purposes. · Here's how to set up a free trial: https://azure.microsoft.com/en-us/free

If you encounter any future issues, please feel free to contact us, and we will be pleased to assist you further.

If you have found the answer provided to be helpful, please click on the "Accept answer/Upvote" button so that it is useful for other members in the Microsoft Q&A community.

AmaranS 7,270 Reputation points Microsoft External Staff

2024-11-29T15:21:29.2966667+00:00

Hi Devesh,

Thank you for asking this question on the Microsoft Q&A Platform.

To rectify the issue, kindly proceed with the following steps:

Before you deploy the Azure landing zone accelerator, you need to create two Azure subscriptions: A networking subscription to host networking & connectivity assets and an identity subscription to host identity and access management assets.

Ensure that your personal Microsoft account (associated with your default directory like personal_email.onmicrosoft.com) has the necessary Azure role assignments. As you mentioned you are the owner, verify that this role has sufficient permissions. Typically, the Owner role should allow all actions by default, but sometimes custom RBAC (Role-Based Access Control) configurations or policy assignments can restrict specific actions.

Since you've already upgraded your Azure subscription to Pay-As-You-Go, ensure that this subscription is the one you are using in your Azure portal when attempting the deployment. Sometimes, there might be multiple subscriptions and the context could be set to a different subscription than the one you upgraded.

Additionally, consider using a free Azure trial as it provides full access to Azure features, allowing you to deploy the LZ accelerator for learning purposes. · Here's how to set up a free trial: https://azure.microsoft.com/en-us/free

If you encounter any future issues, please feel free to contact us, and we will be pleased to assist you further.

If you have found the answer provided to be helpful, please click on the "Accept answer/Upvote" button so that it is useful for other members in the Microsoft Q&A community.

Answer 2

Devesh 80

I also had the same problem and was able to solve it by following this article: https://luke.geek.nz/azure/you-don-t-have-authorization-to-perform-action-microsoft.resources-deployments-validate-action/

Key query that I had to use was executing:

New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id

Also do remember to revert it to previous state (also mentioned in the link). Hope it helps people in future.

Share via

How do I deploy the Landing Zone accelerator with proper authorization within a learn module using a personal Microsoft account?

2 answers

Your answer