i'm unable to remove deny assignment on users on my subscription

Question

i'm unable to remove deny assignment on users on my subscription

Obafemi Adesanya 0

All users on my subscription are unable to create or assign resources. they always got the error on the image attached.
i have checked the IAM -> deny assignment on the subscription and it is read only

3 answers

Your answer

Answer 1

Hi, you can't delete a deny assignment in Azure because all of them are marked as IsSystemProtected = true, meaning they can’t be modified or removed manually, not even by a Subscription Owner. They're automatically created by services like Blueprints, Deployment Stacks, Managed Applications, Resource Guards, or ARO, and they stay in place as long as the related resource exists.

If you get errors like “the client does not have authorization … because a deny assignment was found”, don’t try to remove the deny via the IAM blade—it won’t work. Instead, you need to identify its source:

powershell

Get-AzDenyAssignment | Select DenyAssignmentName,Description,Scope

or

bash

az role assignment list --include-deny-assigned --output table

Check the Description field for clues (e.g., created by Blueprint ‘xyz’, Deployment Stack ‘abc’, etc.). Then go to the portal and remove or modify that resource (e.g., delete the blueprint, change its locking mode, remove the stack, uninstall the managed app, etc.). Once it's gone, Azure will automatically delete the deny assignment and permissions will work again.

If the Scope is a Management Group, you'll need a MG Owner to remove the source, or elevate your access temporarily (Global admin - Elevate access).

Obafemi Adesanya 0 Reputation points

2025-05-19T16:07:33.9433333+00:00

i got this reply after running the powershell command

[UNUSUALACTIVITY] FULL DENY ASSIGNMENT ON a1ba8bea-a81e-4677-a529-278abda488f1 FOR ALL USERS ADDED [UNUSUALACTIVITY] FULL DENY ASSIGNMENT ON a1bxxxxxx-a81e-4677-a5f1 FOR ALL USERS ADDED /subscriptions/axxxxxxxa-a81e-4677-xxxxx9-2781

[UnusualActivity] Full Deny assignment on tenant b6XZZZZZ*****d00-c02b5f0a5a44 for user c5094d61-****(xxxxxx at root added [UnusualActivity] Full Deny assignment on tenant bxxxxxxxxkk1afd-9da7-xxxxxxxxxxxxx for user c5xxxxxx1-6c86-4c7e-91d9-6xxxxxxxxx64 at root Deny assignment added at scope / for user c5xxxxxxxxxxxxxxxxx4 as unusual activity is detected /

where can i rectify it

Answer 2

Sanni Sunday 0

@Michele Ariis so, after checking the unusual activity activities on the subscription, we found out that there has been a malicious activity on the subscription. some resources were created some resources which we were trying to remove. but when removing it, the deny assignment error is still coming up. what can we do

Michele Ariis 2,040 Reputation points MVP

2025-05-20T06:12:03.5866667+00:00

Hi, a $UNUSUALACTIVITY$ deny assignment is a system lock set by Microsoft after suspicious activity, only Microsoft can remove it. Even Global Admins can't delete it.

What to do:

Open a Microsoft support ticket (Security / Suspected compromise, severity A or B) with tenant ID, subscription ID, deny ID, and details of the issue.

Secure the environment: rotate credentials, enforce MFA, review logs, set budget alerts.

Isolate production workloads if needed (move or back up).

Once MSRC clears the situation, they'll remove the block and you can clean up.
Michele Ariis 2,040 Reputation points MVP

2025-05-20T06:19:30.8966667+00:00

Hi, the DenyAssignmentAuthorizationFailed error means there's a system-protected deny assignment blocking actions. You can't delete it manually. Run Get-AzDenyAssignment or az role assignment list --include-deny-assigned to see the source. If it's from Blueprint, Deployment Stack, Managed App, or Resource Guard, delete that and the deny will go away. If the description says [UNUSUALACTIVITY], it's a Microsoft lock due to suspicious activity—you must open a support ticket (Azure Portal > Help + support > Security / Suspected compromise) and include tenant ID, subscription ID, deny ID, and a brief timeline. While waiting, rotate credentials, enable MFA, review logs, set budget alerts, and move critical workloads if needed. Once Microsoft clears it, the deny disappears and you can clean up.

Answer 3

Hello @Obafemi Adesanya

Based on the image and your description, the error message shown is not directly related to Azure subscription access, but rather to a synchronization issue in Azure AD Connect (specifically with the proxyAddresses attribute). However, your current issue is likely due to a deny assignment or missing role assignments at the subscription level.

Even if you're the subscription owner, if there's a Deny Assignment in place, it will override all role assignments—even Owner or Contributor.

You mentioned:

"IAM → Deny assignments → it is read-only"

This suggests that the deny assignment might have been created by Microsoft Defender for Cloud, Azure Blueprints, or Policy Initiatives, which can lock down resource creation. This suggests that the deny assignment might have been created by Microsoft Defender for Cloud, Azure Blueprints, or Policy Initiatives, which can lock down resource creation.

Check for Active Deny Assignments

Go to Azure Portal → Subscriptions → Your Subscription → Access Control (IAM) → Deny assignments.

If you see a deny assignment from Microsoft Security or Blueprint, it may be locking down resource creation. For further information, please visit this link: https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments?tabs=azure-portal#list-deny-assignments

Check Azure Policy Assignments

Go to Azure Policy → Assignments.
Look for any policies that deny resource creation or enforce specific conditions.
Remove or modify the policy if it’s too restrictive.

Check Management Group Inheritance

If your subscription is part of a management group, it may be inheriting deny assignments or policies from the parent group.

Go to Management Groups → Select the parent group → Check IAM and Policy Assignments.

Verify Role Assignments

Ensure users have the correct role assignments (e.g., Contributor, Owner) at the subscription or resource group level.
Go to IAM → Role assignments and confirm.

Kindly let me know if any of these works for you and please let me know if you have any further questions or need clarifications.

If I have answered your question, please accept this as answer as a token of appreciation and don't forget to give a thumbs up for "Was it helpful"!

Best regards,

Megan.

Ashok Gandhi Kotnana 10,350 Reputation points Microsoft External Staff Moderator

2025-05-23T15:25:51.89+00:00

Hi @Obafemi Adesanya
I have reached out to you in a private message

Share via

i'm unable to remove deny assignment on users on my subscription

3 answers

Your answer