Azure CLI Register Action Failure

Question

We have an Azure Compute Gallery in one of our subscriptions with a custom image. When I try, through the Portal, to create a VM from that image into a resource group every thing works fine. However when I try to use the Azure CLI with

az vm create --resource-group rg-XXX \
        --name Test \
        --image /subscriptions/XXXXXXXX-XXXX-XXXXXXXX/resourceGroups/rg-YYYY/providers/Microsoft.Compute/galleries/sig_lab_ZZZZ/images/img-AAAA

I get the message

{"code":"AuthorizationFailed","message":"The client '@xxx.xxx.xx' with object id 'xxxxxxxxxxxx' does not have authorization to perform action 'microsoft.automation/register/action' over scope '/subscriptions/xxxxxxxxxxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed)","name":"BatchResponseItemError","stack":"BatchResponseItemError: The client '@xxxx.xxx.xx' with object id 'xxxxxxxx' does not have authorization to perform action 'microsoft.automation/register/action' over scope '/subscriptions/xxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials.\n at t (https://portal.azure.com/Content/Dynamic/umzBJNodLdJO.js:41:815)\n at new t (https://portal.azure.com/Content/Dynamic/umzBJNodLdJO.js:61:11960)\n at https://portal.azure.com/Content/Dynamic/umzBJNodLdJO.js:61:4808"}

I know my image url is correct as I get a not found if I change one character in the URL. I do not understand as I am going to the same resource group that I use in the portal that works.

UPDATE: Have checked and my account has 'Compute Gallery Image Reader' on subscription, resource group and image gallery

Answer 1

Hello Mark Caple,

Thank you for posting your question in the Microsoft Q&A forum. 

The error indicates your account lacks permissions for Microsoft.Automation/register/action, which is unrelated to the Compute Gallery access but required for Azure resource provider operations. While your Compute Gallery Image Reader role grants image access, the CLI attempts to register the Microsoft.Automation provider during VM creation a step the Portal might handle implicitly. 

Solution Steps:

• Register the Automation Provider manually: 

bash 

az provider register --namespace Microsoft.Automation --subscription [Subscription-ID] 

Wait 5–10 minutes for propagation. 

• Grant Additional Permissions:  Request a subscription Owner or Contributor to assign: 

bash 

*az role assignment create --assignee [your-object-id] *     *--role "Contributor" *     --scope "/subscriptions/[Subscription-ID]" 

Alternatively, request Microsoft.Automation/register/action via a custom role. 

• Retry with Explicit Subscription:  Ensure your CLI session targets the correct subscription: 

bash 

az account set --subscription [Subscription-ID]  az vm create ... (original command) 

Why This Occurs: 

• The Portal auto-registers providers, while the CLI requires explicit permissions. 
• Compute Gallery Image Reader only covers image access, not VM deployment dependencies. 

If issues persist, verify Azure Policy isn’t blocking provider registration or VM creation. For immediate resolution, use the Portal or escalate permissions temporarily. 

Note: Replace placeholders ([Subscription-ID], [your-object-id]) 

If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated.