How to fix the problem of access in Azure Sandbox Environment

Question

az deployment group create \

--name $DeploymentName \

--template-file $templateFile

{"code": "AuthorizationFailed", "message": "The client 'live.com#******@gmail.com' with object id 'a10bb954-c709-49ef-9f75-0a7da54533e8' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/db63e310-2279-4738-a96f-52d65ba09d6a/resourcegroups/Concierge Subscription/providers/Microsoft.Resources/deployments/blanktemplate-27-Apr-2025' or the scope is invalid. If access was recently granted, please refresh your credentials."}

Answer 1

Hello,

Welcome to Microsoft Q&A,

The error means your account does not have enough permissions to deploy resources into the resource group or subscription you are targeting.

Your Azure account (the live.com#******@gmail.com) does not have sufficient RBAC (Role-Based Access Control) permissions on either:

• the Resource Group you are deploying to, or
• the Subscription level (if you are trying to deploy at a higher level).

Verify Permissions

You must have at least the Contributor or Owner role on the Resource Group you're deploying into.

• If it's missing: ask an admin in Azure to grant your account Contributor role on the Resource Group or Subscription.

Or sometimes your session token is stale if you were recently granted access. To refresh the credentials, try

az account clear
az login

Please Upvote and accept the answer if it helps!!

Answer 2

Hi Pulkit Saraf,

Thank you for reaching out to us on the Microsoft Q&A forum.

We understand that you are facing issues while performing an exercise in the sandbox environment.

Here are a few troubleshooting steps that might help resolve the issue:

1. Sign Out of the Azure Portal: Please make sure to completely sign out from the Azure portal used in the previous module, "Exercise - Create an Azure resource." This portal has an active Microsoft Learn sandbox directory with a Concierge subscription.
2. Sign Out of Azure Cloud Shell: Fully sign out from the Azure Cloud Shell sandbox or wait for the sandbox activation time to expire.
3. Activate a New Sandbox: Click on "Activate Sandbox" to start a new sandbox session. This will generate a default subscription called "Concierge subscription" along with a default resource group name starting with "learn." To avoid any browser-related issues, we suggest using a different browser or opening an incognito/private window.
4. Check Resource Group Name: Once you've signed back into the Azure portal, verify that the resource group name you're using in the "az vm create" command matches the one shown in the portal for your sandbox environment.
5. Refresh the Sandbox Environment: Since you may not have the permissions required to modify the sandbox environment and the error suggests an authorization issue, the best solution would be to refresh the Microsoft Learn sandbox environment. This will recreate the environment with the necessary permissions.
6. Follow Microsoft Learn Instructions: Be sure to follow the instructions provided in the Microsoft Learn exercise. These steps are specifically designed for the sandbox environment and often use Cloud Shell commands to avoid any permission issues. Ensure you're running the Azure CLI commands in the correct directory (Microsoft Learn Sandbox) and with the correct subscription selected.

Please note that the sandbox environment's permissions are preset and cannot be modified by users. The Concierge Subscription is automatically created for sandbox environments to provide the necessary resources, and due to the nature of this setup, deletion or modification of the subscription is restricted.

If you continue to experience any issues, feel free to share your concerns in the comments. We are here to assist you.

If you find this information helpful, please consider acknowledging it by clicking the "Upvote" and "Accept Answer" buttons.