Share via

My Azure VPN failed. Now I can not recreate it due to access rights

Jens Hjelte 0 Reputation points
2025-06-27T10:00:46.7333333+00:00

After activating the Entra ID on Azure my VPN failed miserably. I never got it up and running so decided to delete it and recreate the connections.

How ever I am not allowed to deploy it due to some authorization issue for me. I am the owner and admin so I dont understand why.

Below is the message I have recieved. Can you please help me with what to fix?

/Jens

{"code":"DeploymentFailed","target":"/subscriptions/f13b5a59-72aa-4a38-a272-73bfb30eef6d/resourceGroups/Korpklinten/providers/Microsoft.Resources/deployments/Microsoft.VirtualNetworkGateway-20250627114130","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"LinkedAccessCheckFailed","message":"The client with object id 'e025694b-0a89-4c85-b762-69b4e6f78028' does not have authorization to perform action 'Microsoft.Network/publicIPAddresses/join/action' over scope '/subscriptions/f13b5a59-72aa-4a38-a272-73bfb30eef6d/resourceGroups/Korpklinten/providers/Microsoft.Network/publicIPAddresses/VPN-linkIP' or the scope is invalid. For details on the required permissions, please visit 'https://aka.ms/vngwroles'. If access was recently granted, please refresh your credentials."}]}

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,776 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deepanshu katara 16,790 Reputation points MVP Moderator
    2025-06-27T10:56:55.0833333+00:00

    Hello , Welcome to MSQ&A

    This means your identity (or the identity used by the deployment) lacks the join/action permission on the Public IP resource.

    How to Fix It

    1. Check Role Assignment on the Public IP Resource
      • Go to the Azure Portal
      • Navigate to: Resource Groups > Korpklinten > Public IP Addresses > VPN-linkIP
      • Click Access Control (IAM) > Role assignments
      • Ensure your user (or the deployment identity) has a role that includes:
      • Microsoft.Network/publicIPAddresses/join/action
    2. Recommended Role:
      • Network Contributor role includes the required permission.
      • Assign it at the resource group level (Korpklinten) or directly on the Public IP resource.

    Helpful Link

    Microsoft’s official guidance on this permission: https://aka.ms/vngwroles

    Pls check and let us know

    Thanks

    Deepanshu

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.