Devops Pipeline

George Wolfi 286 Reputation points

Hi there,

I'm trying to create a DevOps pipeline for an Azure Function.

I'm an external user/Guest to a tenant.
In the tenant, there's one Security group which I am owner and that Security group has contributor access to two resource groups.

But when I try to create a pipeline from my tenant, It's giving me this error

Failed to set Azure permission 'RoleAssignmentId: ba8f4bc9-8fce-xxx-xxxxx-xxxxxxx' for the service principal '54dd-xxx-xxxx-xxxxxxxxxx' on subscription ID '548af2ae-xxx-xxxxxxxxxxxx': error code: Forbidden, inner error code: AuthorizationFailed, inner error message The client 'hasin.xxxxxxxxx@' with object id '957d-5cxxxdxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/b4e3-c8xxxx' or the scope is invalid. If access was recently granted, please refresh your credentials. Ensure that the user has 'Owner' or 'User Access Administrator' permissions on the Subscription.

The Admin gave me User Administrator but it is still giving me the same error.

I can't find any Build In roles that can do this. Moreover this right is not in Microsoft.Authorization/roleAssignments/write custom roles right list.

I couldn't find any other way.

Any help would be appreciated.


Not Monitored
Not Monitored
Tag not monitored by Microsoft.
27,024 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Sam Cogan 7,807 Reputation points MVP

    You mention you were given the "User Administrator" right, assuming this is not a typo then it will not give you the rights you need, as this is an Azure AD role. What you need is "User Access Administrator", this and "Owner" are the only two built in roles with the Microsoft.Authorization/roleAssignments/write permission.

    1 person found this answer helpful.

  2. Jai Verma 451 Reputation points

    could you check if the subscription subscription ID '548axxxe-xxxx-xxxxxxxxxx' is exactly the same where you are creating pipeline?

  3. George Wolfi 286 Reputation points

    Yes, It's the same.


    Update: Edited the image to conceal PII information.

    0 comments No comments