System-protected tenant root deny assignment “[UnusualActivity] Full Deny” blocking Trusted Signing – cannot remove

Question

Hello,

I am unable to manage my Azure Trusted Signing (Artifact Signing Account) resource because a system-protected deny assignment was applied to my user.

Deny assignment details:

Name: [UnusualActivity] Full Deny assignment

ID: /providers/Microsoft.Authorization/denyAssignments/PII

Scope: / (tenant root)

System protected: Yes

Affected user objectId: PII

Impact:

Even though my user has Owner/Contributor roles on the subscription and resource, all actions are denied due to this root-level deny assignment. The portal indicates deny assignments are read-only, so I cannot remove it.

This is blocking management of my Trusted Signing (Artifact Signing Account) resource.

Questions:

1. Can a moderator help escalate removal of this system-protected deny assignment?
2. Is there any remediation step I should perform to clear the “UnusualActivity” restriction?

Any guidance would be greatly appreciated.

Thank you.

Answer 1

Hello Karpuragaurai

We are looking into this issue and will keep you posted updates.

It looks like your account has been added to a Deny Assignment at the root level, which prevents you from performing any actions in your subscription.

This may have happened because you were running scripts using access tokens from your account, and Microsoft may have applied this policy to restrict your access.

For example, actions like: Microsoft.Insights/Metrics/write was not allowed

Warning: If a service principal repeatedly hits the GIG endpoint without proper permissions, it may get blacklisted.

Try the Following Solutions

• Solution 1: Remove the Deny Assignment

Go to the Azure Portal: https://portal.azure.com

Navigate to "Subscriptions" and select your subscription.

Go to "Access Control (IAM)" at the root scope ('/').

Find the "Deny Assignments" tab.

Look for your Object ID (e.g., 653ad2b4ae4b4bb3a7e62651f19ddba9) or Name.

Remove or Modify the Deny Assignment as needed.

If it is in Read mode try Solution2

Solution 2: Create a New Azure AD User and Assign Owner Role

If Solution 1 doesn’t work, create a new admin account and use it to remove the deny assignment.

Step 1: Create a New User in Azure AD

Open Azure Portal → Go to Microsoft Entra ID (Azure AD) > Users.

Click "+ New user".

Enter User Details:

User Type: Member

Username: ******@yourdomain.onmicrosoft.com

Name: <Full Name>

Password: Auto-generated Click "Create".

Step 2: Assign "Owner" Role to the New User

Go to "Subscriptions" → Select your subscription.

Navigate to "Access Control (IAM)".

Click "+ Add" > "Add role assignment".

Choose "Owner" → Click Next.

Select the newly created user (******@yourdomain.onmicrosoft.com).

Click "Review + Assign".

Step 3: Remove Deny Assignment Using the New Account

Log in with the newly created account.

Try removing the Deny Assignment as described in Solution 1.

Alternatively, run the following PowerShell command:

PowerShell

Remove-AzRoleAssignment -ObjectId "your-object-id" -Scope "/" -RoleDefinitionName "Deny Assignment" 

Solution 3:

Log in to the Azure portal using the newly created account and attempt to create Azure resources.

Feel free to reach out if you have any further questions or need additional information—I’m happy to assist!

Please provide your valuable comments

Please do not forget to “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Thanks,

Suchitra.