This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 93%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETE%3C/text%3E%3C/svg%3E)
Hi there,
I'm trying to create a DevOps pipeline for an Azure Function.
I'm an external user/Guest to a tenant.
In the tenant, there's one Security group which I am owner and that Security group has contributor access to two resource groups.
But when I try to create a pipeline from my tenant, It's giving me this error
Failed to set Azure permission 'RoleAssignmentId: ba8f4bc9-8fce-xxx-xxxxx-xxxxxxx' for the service principal '54dd-xxx-xxxx-xxxxxxxxxx' on subscription ID '548af2ae-xxx-xxxxxxxxxxxx': error code: Forbidden, inner error code: AuthorizationFailed, inner error message The client 'hasin.xxxxxxxxx@' with object id '957d-5cxxxdxxxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/b4e3-c8xxxx' or the scope is invalid. If access was recently granted, please refresh your credentials. Ensure that the user has 'Owner' or 'User Access Administrator' permissions on the Subscription.
The Admin gave me User Administrator but it is still giving me the same error.
I can't find any Build In roles that can do this. Moreover this right is not in Microsoft.Authorization/roleAssignments/write custom roles right list.
I couldn't find any other way.
Any help would be appreciated.
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 92%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
@HasinEshayat-7121, Microsoft respects your privacy. We request you not to share any PII information on the public forum (e.g. your subscription ID, phone number, email id -we have concealed these in your post).
Noted.
Thanks
You mention you were given the "User Administrator" right, assuming this is not a typo then it will not give you the rights you need, as this is an Azure AD role. What you need is "User Access Administrator", this and "Owner" are the only two built in roles with the Microsoft.Authorization/roleAssignments/write permission.
Hi Sam,
Thanks for your comment. I can't find the User Access Administrator role in the built-in Role list.
Moreover, this Microsoft.Authorization/roleAssignments/write permission right is not on the custom role right list. That's why admin couldn't give me the access.
Can you tell, how it can be done.
Thank you for your help.
You can find this role on your subscription
Thanks a lot.
That helped.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 13%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGR%3C/text%3E%3C/svg%3E)
Thanks for the clear description, this answered my question. This is not an optimal requirement. A developer in my organization usually only has permissions on resource groups. To handout "User Access Administrator" or "Owner" permissions on the entire subscription is no desirable, we probably need to involve one of our Azure admins to perform these steps or to create many subscriptions to separate access.
Saved us after removing old dev from system and secret expired. Thanks a ton!!!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 45%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJV%3C/text%3E%3C/svg%3E)
could you check if the subscription subscription ID '548axxxe-xxxx-xxxxxxxxxx' is exactly the same where you are creating pipeline?
Hi Jay
Yes, It's the same.
Yes, It's the same.
Update: Edited the image to conceal PII information.