Deny assignments has a developer blocked, is there a work around?

Question

Deny assignments has a developer blocked, is there a work around?

John Havenar 20

We are unable to find a work around to Deny assignments in our Subscription for a developer that is attempting to set up and deploy to our Azure Platform. There is no option to delete the Deny assignment within Azure. The user role apparently does not matter. The system note is that the user is doing an "Unusual Activity". This is a tad perplexing. Any thought/help is greatly appreciated. We have attempted online suggestions, so far to no avail.

Also the child tag is not relevant as none seemed appropriate, but one had to be selected.

John

Amit Kharkade 1 Reputation point

2025-05-08T05:35:29.57+00:00
Hello John Havenar,

Can you confirm if the following checks have been done, or if you can try the steps below to resolve the issue?

Check for Deny assignments at all possible scopes (subscription, resource group, and resource levels).

Review Azure AD security and sign-in logs to understand if unusual activity is related to security policies or conditional access.

Use Azure CLI/PowerShell to manage and review Deny assignments and role assignments.

Review Conditional Access Policies and any Azure AD roles that may be affecting the user.

If the issue persists, escalate to Microsoft Azure Support for further assistance.

If you found this information helpful, please click "Upvote" and "Accept Answer" to let us know.

Regards,
Amit Kharkade

Accepted answer

2 additional answers

Your answer

Amit Kharkade 1 Reputation point

2025-05-08T05:35:29.57+00:00

Hello John Havenar,

Can you confirm if the following checks have been done, or if you can try the steps below to resolve the issue?

Check for Deny assignments at all possible scopes (subscription, resource group, and resource levels).

Review Azure AD security and sign-in logs to understand if unusual activity is related to security policies or conditional access.

Use Azure CLI/PowerShell to manage and review Deny assignments and role assignments.

Review Conditional Access Policies and any Azure AD roles that may be affecting the user.

If the issue persists, escalate to Microsoft Azure Support for further assistance.

If you found this information helpful, please click "Upvote" and "Accept Answer" to let us know.

Regards,
Amit Kharkade

Answer 1

Hi John,

The system has automatically placed the Deny assignments due to detected potential strange activity. It may be a "false positive" or actual issue, but either way you need to contact support to have the block lifted.

Please create a subscription management support request so you can discuss with engineer and have them restore the subscription to normal status. Subscription support is free.

Please carefully follow my instructions below to create support request and avoid getting stuck in endless loop. Please let me know if you run into any issues.

1. Navigate to this link to start the process:

https://portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview

2. Click Create a support request button at top

User's image

3. If you see Support AI Assistant as shown below, click Switch to old experience button on right. If not, proceed to step #4

User's image

4. On left, enter re-enable subscription in the box and click Go

enter image description here

5. Select Subscription management and click Next

enter image description here

6. Select your subscription from the dropdown and click Next

7. At this point there will be a delay of several seconds, and then various options will be displayed. Click Create a support request button at the top. DO NOT CLICK any of the other options.

enter image description here

8. Fill out screen, Summary, Problem type: Re-enable my subscription, Problem subtype: Could not reactivate by self-service, then click Next button at bottom.

enter image description here

9. There will be another several second delay, and then some solutions will be displayed (this is similar to above). DO NOT CLICK any of the solutions, instead click on Return to support request button in upper left corner, similar to below

azure support request Return to support request

10. Now you are back at support case. Click Next button at bottom to continue to Additional details tab. Fill out information as required. Click Next to advance to Review + create tab, then click Create.

You should receive an automated email within a few minutes and then be contacted by support within 1 business day.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

John Havenar 20 Reputation points

2025-05-08T14:06:54.13+00:00

TP

The block is only on one specific User. Should we follow your instructions for just one User? Also we are unable to unblock the User as there are no buttons that populate for such. We are beginning to think that we need to elevate the User's access for them to configure and deploy the code that we will be using. Thoughts?
TP 119.4K Reputation points Moderator

2025-05-08T14:41:29.9066667+00:00

The block is only on one specific User. Should we follow your instructions for just one User? Also we are unable to unblock the User as there are no buttons that populate for such. We are beginning to think that we need to elevate the User's access for them to configure and deploy the code that we will be using. Thoughts?

You need to create support request and ask them to investigate reason block was triggered and remove Deny assignment for this user. If they think there is cause for concern they may push back and provide more details before removing Deny.There isn't more specific problem type/sub-type under Subscription management which is why I have you selecting re-enable subscription which conceptually is similar since subscriptions are disabled automatically due to suspicious activity detection.

If you have Standard or higher level support plan you could create Severity A or B case (if you think it is necessary) and potentially receive faster response, otherwise you can follow steps I posted above for Severity C case.

Under Standard you could go through Technical instead and select problem relating to RBAC Deny assignment, which is similar, but still not precisely your situation.

Answer 2

Hi

Deny assignments are basically Azure Policy assignment with deny effect. One option is to contact the administrator who has created these Azure policies and resolve the issue with him/her. In any case the policy assignment either needs to be removed or exemption to be created or exclusions. Only users with appropriate permissions on Azure Policies can do these actions. Note that Azure policies can be assigned at different scopes so the permissions should be valid for the scope those policies are assigned.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 3

Hello @John Havenar,

In addition to the information provided by @Stanislav Zhelyazkov , please refer to the below mentioned steps to remove the users from Deny Assignments list from Azure Portal.

Based on the error message what you are getting, I understand that your user account has been added to a Deny Assignments list at the root level.

Deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access.

Important

You can't directly create your own deny assignments. Deny assignments are created and managed by Azure to protect resources.

Prerequisites

To get information about a deny assignment, you must have:

Microsoft.Authorization/denyAssignments/read permission, which is included in most Azure built-in roles.

List deny assignments in the Azure portal

Follow these steps to list deny assignments at the subscription or management group scope.

In the Azure portal, open the selected scope, such as resource group or subscription.
Select Access control (IAM).
Select the Deny assignments tab (or select the View button on the View deny assignments tile). If there are any deny assignments at this scope or inherited to this scope, they'll be listed as mentioned in the below Screenshot. 4. To display additional columns, select Edit Columns. 5. Add a checkmark to any of the enabled items and then select OK to display the selected columns.

Delete deny assignments in the Azure portal

1.Please make sure that you are having a role with enough privileges, like Owner or User Access Administrator.

2.Under the Deny assignments tab, select the affected user account and then delete or Remove the affected user account from Deny assignments list.

For additional details, please refer to the below document for your reference.

List Azure deny assignments - Azure RBAC | Microsoft Learn

I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

John Havenar 20 Reputation points

2025-05-08T14:01:33.0066667+00:00

Sanoop in the Deny assignment tab the user shows but there is not a button to click on to delete or remove. This user is attempting to configure system and deploy code. Our understanding is that giving the user a Owner role for this task, and then removing this permission afterwards will not bypass the Deny assignment security protocol. Is this correct?
Sanoop M 3,075 Reputation points Microsoft External Staff Moderator

2025-05-09T01:04:30.35+00:00

Hello @John Havenar,

Thank you for your response.

Please note that instead of giving the affected user the Owner role, you can check with any of the other users where they are already having the Owner role or User Access Administrator role to perform the specific steps which I have mentioned above in my answer to delete the affected user from Deny Assignments list.

Please let me know if you have any queries.

Share via

Deny assignments has a developer blocked, is there a work around?

2 additional answers

Your answer