User don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action

asked 2021-06-13T06:29:32.047+00:00
Rabia Mehta 6 Reputation points

Whenever a new user added to the directory tries to deploy custom azure templates, they get the following validation error - User don't have authorization to perform action 'Microsoft.Resources/deployments/validate/action

Following roles are already granted -

  1. Global Administrator access in Azure AD
  2. Owner role assignment at the subscription level
  3. Contributor access at management Group level

Also, tried elevating access but still facing same issue.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,552 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
368 questions
No comments
{count} votes

3 answers

Sort by: Most helpful
  1. answered 2021-06-14T22:52:33.5+00:00
    Marilee Turscak-MSFT 20,401 Reputation points Microsoft Employee

    If you have already elevated the access and granted the Owner role, another thing to confirm is that you have granted permission to do ARM template deployment at the tenant root (/) scope and completed the prerequisites described here: https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md


  2. answered 2021-06-23T19:22:42.05+00:00
    Omar Jiménez Gómez 1 Reputation point

    Hi @Marilee Turscak-MSFT ,

    Following the steps here: https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md

    I was able to complete step 1 but step 2 is not working:

    PS /home/omar> Set-AzContext -Tenant 'xxxxx-xxxx-xxxx-95bxxxx9-cc176afb6e2a'

    Name Account SubscriptionName Environment TenantId


    Visual Studio Enterprise Subscription (… xxxx@Stuff .com Visual Studio Enterprise… AzureCloud xxxx-xxxx-xxxx-95bxxxx9-cc176afb6e2a

    PS /home/omar> $user = Get-AzADUser -UserPrincipalName (Get-AzContext).Account
    ****PS /home/omar> New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id
    New-AzRoleAssignment: Cannot validate argument on parameter 'ObjectId'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.****

    No comments

  3. answered 2022-11-02T14:03:20.173+00:00
    Ezequiel Gustavo Muñoz 46 Reputation points

    hi, i had the same problem but i fix with the next commands in BASH (inside Azure Portal). Only 2 commands. Only copy and paste the BOLD commands. Regards.

    assign Owner role at Tenant root scope ("/") as a User Access Administrator to current user (gets object Id of the current user (az login))

    az role assignment create --scope '/' --role 'Owner' --assignee-object-id $(az ad signed-in-user show --query id --output tsv) --assignee-principal-type User

    (optional) assign Owner role at Tenant root scope ("/") as a User Access Administrator to service principal (set spn_displayname to your service principal displayname)

    spn_displayname='<ServicePrincipal DisplayName>'
    az role assignment create --scope '/' --role 'Owner' --assignee-object-id $(az ad sp list --display-name $spn_displayname --query '[].{objectId:objectId}' -o tsv) --assignee-principal-type ServicePrincipal

    No comments