You do not have permission to create resource groups under subscription Azure Enterprise subscription

Ashish Vats 21 Reputation points

Hi Team,

I am attempting to create a new Azure B2C Tenant. On the Basic step of creation, I am asked to create a new Resource Group (we do not have any existing groups yet). Whatever I type as the name of the resource group I am getting "You do not have permission to create resource groups under subscription Azure Enterprise subscription"
I am having the Azure Enterprise Subscription in my name but when I try to create a Resource Group I am getting the above error. I have "Azure Active Directory Premium P2" under Microsoft 365 E5 Security and "Azure Active Directory Premium P1" under Microsoft 365 E3.

Can someone please assist me?

What needs to be done from my end?
What access I am lacking?
Where do I need to get myself added? I mean roles.


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,410 questions
{count} votes

8 answers

Sort by: Most helpful
  1. Naseer Khan 15 Reputation points

    Hi, even my case is strange, I have User Access Administrator role (this is my pay-as-you-go personal account) and I get permission denied on creating resource groups in the subscription.
    I can create resources inside it also through CLI I can create resource groups as well.

    Everything was fine until this morning I found my subscription role was automatically modified from 'owner' to 'user access administrator (specified access).

    Naseer Khan

    2 people found this answer helpful.

  2. Stargazer 15 Reputation points

    I managed to solve this. I had to give myself, the Global Admin and Account owner, the role "owner" to the subscription.

    2 people found this answer helpful.
    0 comments No comments

  3. Steven James 5 Reputation points

    Same problem, started last week. 14 days ago it was working fine

    1 person found this answer helpful.

  4. Shannon McC 26 Reputation points

    I suspect the retirement of the legacy "co-administrator" roles has already started to take effect, and the co-administrator role on a subscription no longer works (even if it is still assigned); or maybe there was something about changing "Owner" to "User Access Administrator" for people that were co-administrators?

    But I fixed it:

    • I had to explicitly grant myself Owner rights to the subscription(s). Didn't need to do that previously as I had co-administrator rights.
    • Of course, you should also check that the "[user] can manage access to all Azure subscriptions and management groups in this tenant" is ticked in "Entra ID", "Properties".
    • Granting myself Owner did not take effect straight away. Things only started working correctly after about 10 minutes after I made the changes. (There is some caching going on, so make the change and come back later!)
    • I still have co-administrator rights, but I don't know if they do anything any more.
    • You could also instead open "Management Groups" and grant yourself Owner access to the Tennant Root Group, as this might also work and grant you Owner across all subscriptions. (It should but I have not tested it).

    Of course, this all ignores least-privilege etc. But if this a single-user tenant when it's only you doing research of development, that doesn't matter; although I'd recommend a more considered approach in a larger organisation.

    1 person found this answer helpful.
    0 comments No comments

  5. Cristian SPIRIDON 4,471 Reputation points

    If you are Global Admin, did you elevate yourself for all subscriptions in your tenant?

    Hope this helps!