You do not have permission to create resource groups under subscription Azure Enterprise subscription

Ashish-6907 37 Reputation points
2021-07-15T08:14:43.67+00:00

Hi Team,

I am attempting to create a new Azure B2C Tenant. On the Basic step of creation, I am asked to create a new Resource Group (we do not have any existing groups yet). Whatever I type as the name of the resource group I am getting "You do not have permission to create resource groups under subscription Azure Enterprise subscription"
I am having the Azure Enterprise Subscription in my name but when I try to create a Resource Group I am getting the above error. I have "Azure Active Directory Premium P2" under Microsoft 365 E5 Security and "Azure Active Directory Premium P1" under Microsoft 365 E3.

Can someone please assist me?

What needs to be done from my end?
What access I am lacking?
Where do I need to get myself added? I mean roles.

Thanks,
Ashish

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,455 questions
{count} votes

8 answers

Sort by: Most helpful
  1. Naseer Khan 15 Reputation points
    2024-03-13T05:54:56.8133333+00:00

    Hi, even my case is strange, I have User Access Administrator role (this is my pay-as-you-go personal account) and I get permission denied on creating resource groups in the subscription.
    I can create resources inside it also through CLI I can create resource groups as well.

    Everything was fine until this morning I found my subscription role was automatically modified from 'owner' to 'user access administrator (specified access).

    Thanks&Regards
    Naseer Khan

    2 people found this answer helpful.

  2. Stargazer 20 Reputation points
    2024-03-21T16:15:45.1666667+00:00

    I managed to solve this. I had to give myself, the Global Admin and Account owner, the role "owner" to the subscription.

    2 people found this answer helpful.
    0 comments No comments

  3. Shannon McC 31 Reputation points
    2024-03-22T03:07:58.6433333+00:00

    I suspect the retirement of the legacy "co-administrator" roles has already started to take effect, and the co-administrator role on a subscription no longer works (even if it is still assigned); or maybe there was something about changing "Owner" to "User Access Administrator" for people that were co-administrators?

    But I fixed it:

    • I had to explicitly grant myself Owner rights to the subscription(s). Didn't need to do that previously as I had co-administrator rights.
    • Of course, you should also check that the "[user] can manage access to all Azure subscriptions and management groups in this tenant" is ticked in "Entra ID", "Properties".
    • Granting myself Owner did not take effect straight away. Things only started working correctly after about 10 minutes after I made the changes. (There is some caching going on, so make the change and come back later!)
    • I still have co-administrator rights, but I don't know if they do anything any more.
    • You could also instead open "Management Groups" and grant yourself Owner access to the Tennant Root Group, as this might also work and grant you Owner across all subscriptions. (It should but I have not tested it).

    Of course, this all ignores least-privilege etc. But if this a single-user tenant when it's only you doing research of development, that doesn't matter; although I'd recommend a more considered approach in a larger organisation.

    2 people found this answer helpful.

  4. Steven James 5 Reputation points
    2024-03-21T02:00:35.7466667+00:00

    Same problem, started last week. 14 days ago it was working fine

    1 person found this answer helpful.

  5. Cristian SPIRIDON 4,481 Reputation points
    2021-07-19T05:46:30.363+00:00

    If you are Global Admin, did you elevate yourself for all subscriptions in your tenant?

    https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

    Hope this helps!


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.