Role Assignment error

Hari Vidya Sankar 1 Reputation point
2021-05-18T11:37:02.917+00:00

HI,

Logged in as a Global Administrator and was trying to assign a role and getting the following error

New-AzRoleAssignment : The client 'email id' with object id 'axxx'
does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope
'/providers/Microsoft.Authorization/roleAssignments/xx' or the scope is invalid. If
access was recently granted, please refresh your credentials.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
843 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Saurabh Sharma 23,821 Reputation points Microsoft Employee
    2021-05-21T17:42:51.387+00:00

    Hi @Hari Vidya Sankar ,

    You need to have "User Access Administrator" or "Owner" Permissions to assign specific roles to a resource as these roles has Microsoft.Authorization/roleAssignments/write permissions which normally Global Administrator doesn't have. GA can mange all aspects of Azure AD but managing resources you need to other RBAC permissions. Here is the documentation for your reference.

    Please let me know if you have any other questions.

    Thanks
    Saurabh

    ----------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.


  2. Mahmoud A. ATALLAH 216 Reputation points MVP
    2024-02-28T05:09:46.5266667+00:00

    Check that you're currently signed in with a user that is assigned a role that has the Microsoft.Authorization/roleAssignments/write permission such as Role Based Access Control Administrator at the scope you're trying to assign the role Or Assign Owner role, However, this is not a best practice as security principals

    0 comments No comments

  3. Mahmoud A. ATALLAH 216 Reputation points MVP
    2024-02-28T05:13:17.6266667+00:00

    Check that you're currently signed in with a user that is assigned a role that has the Microsoft.Authorization/roleAssignments/write permission such as Role Based Access Control Administrator at the scope you're trying to assign the role Or Assign Owner role, However, this is not a best practice as security principals

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.