Azure owner does not have enough permissions

Question

Azure owner does not have enough permissions

H Sharma 0

We have 3 subscriptions for which we have one owner. This owner does not have enough permissions to create another owner or access a container in a storage account that it just created.

For example, when I go to Entra Id (in Azure Portal, not the Entra portal) > Manage > Properties, everything is disabled.

When I go to the subscription scope in Azure Portal > IAM > View My Access, I have this condition attached:

Constrain roles and principals

Allow user to only assign roles you select
Allow user to only assign these roles to principals you select

When I tried to remove the condition and save it, I get this error:

Error updating role assignment: 36252b0e-d460-4afb-9ff5-d200cc6612b4, error: The client 'email' with object id 'id' has an authorization with ABAC condition that is not fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/xyz/providers/Microsoft.Authorization/roleAssignments/xyz' or the scope is invalid. If access was recently granted, please refresh your credentials.

I tried exporting the role to json using Get-AzRoleDefinition and importing it back to a custom role after removing Microsoft.Authorization/*/Write . I got Forbidden response.

So, I am stuck. If anyone can help be resolve this, would appreciate.

Hari Babu Vattepally 3,345 Reputation points Microsoft External Staff Moderator

2025-06-04T05:24:26.6533333+00:00

Hi @H Sharma,

I would greatly appreciate it if you could accept the answer and close this thread. By marking the correct answer, original posters help the community find solutions more quickly and efficiently. Your cooperation in this matter is invaluable to us all.

1 answer

Your answer

Hari Babu Vattepally 3,345 Reputation points Microsoft External Staff Moderator

2025-06-04T05:24:26.6533333+00:00

Hi @H Sharma,

I would greatly appreciate it if you could accept the answer and close this thread. By marking the correct answer, original posters help the community find solutions more quickly and efficiently. Your cooperation in this matter is invaluable to us all.

Answer 1

Nandamuri Pranay Teja 3,700 Microsoft External Staff Moderator

Hello Hari Sharma

The ABAC condition on the owner’s role assignment is restricting the Microsoft.Authorization/roleAssignments/write action. You need to either remove the condition or ensure the user has sufficient permissions to perform the desired actions.

You require an account that possesses the capability to assign roles without the particular ABAC condition that is presently hindering your primary owner account.

Sign in to the Azure Portal as the owner.

Navigate to Subscriptions > Select the subscription > Access control (IAM) > Role assignments.

Locate the owner’s role assignment (filter by your user account or email).
Check the State column for any conditions (e.g., “Active with condition”).
Click the role assignment to view details of the ABAC condition, which likely specifies allowed roles or principals.

If you don’t have permissions to modify the role assignment, contact another user with higher privileges, such as Global Administrator with elevated access (via the Access management for Azure resources toggle in Entra ID). Another user with the User Access Administrator or Owner role at the subscription scope without restrictive ABAC conditions.

Ask them to:

Remove the ABAC condition from your Owner role assignment.

Alternatively, grant you the User Access Administrator role at the subscription scope, which includes Microsoft.Authorization/roleAssignments/write permissions.

To remove the condition:

Go to Subscriptions > Access control (IAM) > Role assignments.

Select the role assignment with the condition.
Edit or remove the condition via the Azure Portal

Note: If the subscription is managed under a management group, the condition might be applied at a higher scope, requiring access at that level.

References:

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. User's image

H Sharma 0 Reputation points

2025-05-30T17:10:15.21+00:00
Thank you for responding, Pranay.

If you don’t have permissions to modify the role assignment, contact another user with higher privileges, such as Global Administrator with elevated access (via the Access management for Azure resources toggle in Entra ID).

Unfortunately, this is the only user who is Owner on this subscription. No other user has this level of access.

To remove the condition:

That is also a problem, as I mentioned in my question:

When I tried to remove the condition and save it, I get this error:

Error updating role assignment: id, error: The client 'email' with object id 'id' has an authorization with ABAC condition that is not fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/xyz/providers/Microsoft.Authorization/roleAssignments/xyz' or the scope is invalid. If access was recently granted, please refresh your credentials.

Essentially, this user, being the only one that has Owner access has locked itself out of certain actions, like creating a container in a new storage account and accessing it. Resources that existed prior to the RBAC transition are accessible as they are not affected by the condition.
H Sharma 0 Reputation points

2025-05-30T22:08:59.76+00:00

Update: I was able to resolve the issue with accessing a container that the owner created. The error on the portal did not have enough information to point to the issue. When accessed through Storage Browser, the error was clear: firewall and network rules were preventing access.

Thanks.
Hari Babu Vattepally 3,345 Reputation points Microsoft External Staff Moderator

2025-06-03T06:21:00.2133333+00:00

Hi @H Sharma,

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

Issue: Azure owner does not have enough permissions

Solution: Issue has been resolved by accessing container created by Owner. However, when it checked through Storage Bowser, it was clear where firewall and network rules were blocking access.

If your issue remains unresolved or have further questions, please let us know in the comments how we can assist. We are here to help you and strive to make your experience better and greatly value your feedback.

Please let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Hari Babu Vattepally 3,345 Reputation points Microsoft External Staff Moderator

2025-06-04T18:53:48.88+00:00

Hi @H Sharma,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

Azure owner does not have enough permissions

1 answer

Your answer