Error granting reader role on an Enterprise policy

Question

Error granting reader role on an Enterprise policy

Ifechukwu Michaels 0

Following https://learn.microsoft.com/en-us/power-apps/maker/data-platform/azure-synapse-link-msi, someone with User Access Administrator permission is running this Powershell New-AzRoleAssignment -ObjectId

Rukmini 39,885 Reputation points Microsoft External Staff Moderator

2026-04-20T03:46:17.32+00:00
Hey Ifechukwu, it looks like you’re getting a “Forbidden” when trying to grant the Reader role on your Enterprise Policy (EP) resource. That error almost always means the caller doesn’t actually have the Microsoft.Authorization/roleAssignments/write permission at the exact scope you’re targeting. Here’s what to check and try:

Confirm the exact scope of the EP resource • Is it a management-group scope (like /providers/Microsoft.Management/managementGroups/{MG}) or a subscription/resource-group scope? • Even if you’re User Access Administrator at the subscription, that role doesn’t automatically cover management-group or parent scopes.

Verify your permissions at that scope • Run:
Get-AzRoleAssignment –SignInName ******@contoso.com –Scope <EP Resource Id>
to see which roles you actually have on that EP resource. • You need either Owner or User Access Administrator at that exact scope (or a custom role with Microsoft.Authorization/roleAssignments/write).

If the EP is under a management group, make sure you’ve been granted access there • Management-group RBAC is separate—subscription-level rights don’t carry up. Ask a Global Admin/Management-Group Owner to assign you User Access Administrator (or Owner) on that MG.

Refresh your login & retry
Disconnect-AzAccount Connect-AzAccount –Tenant yourTenantId New-AzRoleAssignment –ObjectId <objId> –RoleDefinitionName Reader –Scope <EP Resource Id>

Double-check the scope string • It must exactly match the resource’s scope. You can list existing assignments with:
Get-AzRoleAssignment –Scope <EP Resource Id>
• If that cmdlet also 403’s, you definitely lack the right RBAC on that path.

Hope that helps! If you still hit the same error, let me know:

• What exact scope URI you’re using?

• What Get-AzRoleAssignment shows for your user at that scope?

• Are you targeting a management-group or subscription-level EP?

Reference list

• Azure Policy and RBAC

https://docs.microsoft.com/azure/role-based-access-control/overview

• Issues with authorization and RBAC policies

https://supportabilityhub.microsoft.com/solutions/apollosolutions/1f77309e-9991-25b5-932b-c2ded4e388d7/apollo-81f556a3-8553-42cd-8f68-b9c85ba3c28c

• Troubleshoot Azure RBAC

https://docs.microsoft.com/azure/role-based-access-control/troubleshooting

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.
Ifechukwu Michaels 0 Reputation points

2026-04-20T05:32:31.28+00:00

Hi Rukmini, thanks for your response.
I think it is safe to assume it's subscription/resource-group scope. Here is the actual URI New-AzRoleAssignment -ObjectId "xxxxxxxxxx" -RoleDefinitionName Reader -Scope "/subscriptions/xxxx/resourceGroups/xxx-rg-xxxx-aue/providers/Microsoft.PowerPlatform/enterprisePolicies/xxxx-ep-xxxx-aue". I have cross checked and the scope is correct. A few accounts with User Access Administrator permission on the subscription have run the lines on my behalf with the same error 'New-AzRoleAssignment: Operation returned an invalid status code 'Forbidden'.
Rukmini 39,885 Reputation points Microsoft External Staff Moderator

2026-04-20T05:44:33.1133333+00:00
Ifechukwu Michaels the solution is to make sure that the permissions at the Azure RBAC and Power Platform levels are right.

In Azure or Microsoft Entra ID: Assign the subscription or resource group's Owner, not only the User Access Administrator. Retry the command after reauthenticating.

On the Power Platform: Make sure the user or service principal has the proper roles, such as Environment Admin or Power Platform Admin.
Rukmini 39,885 Reputation points Microsoft External Staff Moderator

2026-04-21T02:12:48.21+00:00

Ifechukwu Michaels Following up to see if the above provided information was helpful. If you have any further queries do let us know.
Rukmini 39,885 Reputation points Microsoft External Staff Moderator

2026-04-27T06:31:59.4266667+00:00

Ifechukwu Michaels Following up to see if the above provided information was helpful. If you have any further queries do let us know.

1 answer

Your answer

Ifechukwu Michaels 0 Reputation points

2026-04-20T05:32:31.28+00:00

Hi Rukmini, thanks for your response.
I think it is safe to assume it's subscription/resource-group scope. Here is the actual URI New-AzRoleAssignment -ObjectId "xxxxxxxxxx" -RoleDefinitionName Reader -Scope "/subscriptions/xxxx/resourceGroups/xxx-rg-xxxx-aue/providers/Microsoft.PowerPlatform/enterprisePolicies/xxxx-ep-xxxx-aue". I have cross checked and the scope is correct. A few accounts with User Access Administrator permission on the subscription have run the lines on my behalf with the same error 'New-AzRoleAssignment: Operation returned an invalid status code 'Forbidden'.
Rukmini 39,885 Reputation points Microsoft External Staff Moderator

2026-04-20T05:44:33.1133333+00:00

Ifechukwu Michaels the solution is to make sure that the permissions at the Azure RBAC and Power Platform levels are right.

In Azure or Microsoft Entra ID: Assign the subscription or resource group's Owner, not only the User Access Administrator. Retry the command after reauthenticating.

On the Power Platform: Make sure the user or service principal has the proper roles, such as Environment Admin or Power Platform Admin.
Rukmini 39,885 Reputation points Microsoft External Staff Moderator

2026-04-21T02:12:48.21+00:00

Ifechukwu Michaels Following up to see if the above provided information was helpful. If you have any further queries do let us know.
Rukmini 39,885 Reputation points Microsoft External Staff Moderator

2026-04-27T06:31:59.4266667+00:00

Ifechukwu Michaels Following up to see if the above provided information was helpful. If you have any further queries do let us know.

Answer 1

The Forbidden response from New-AzRoleAssignment means the caller does not have sufficient permissions on the specified scope (<EP Resource Id>) to create a role assignment, even if the caller has a role like User Access Administrator elsewhere.

From the documented procedure to grant Reader on an enterprise policy, the key requirement is:

You must have Microsoft.Authorization/roleAssignments/write permissions, such as User Access Administrator or Owner, to complete this task.

That permission must be effective at the enterprise policy resource’s scope (or a parent scope). If the user’s User Access Administrator role is only at subscription or resource-group level that does not cover the enterprise policy resource, or is on a different subscription/tenant, the role assignment call at <EP Resource Id> will fail with Forbidden.

To resolve:

Verify the scope of the caller’s role:
- Confirm that the identity running New-AzRoleAssignment has User Access Administrator or Owner at:
  - the enterprise policy resource scope (microsoft.powerplatform/enterprisepolicies), or
  - a parent scope (for example, the subscription or resource group that contains the enterprise policy).
Re-check the enterprise policy resource ID:
- Use Resource Graph Explorer as documented to locate the enterprise policy and copy its id exactly.
- Ensure that the -Scope parameter is set to that exact id.

Run the documented command from an identity with the required permission at that scope:

   New-AzRoleAssignment -ObjectId <objId> -RoleDefinitionName Reader -Scope <EP Resource Id>

If the same user is already User Access Administrator or Owner at the enterprise policy’s subscription or resource group, the command should succeed once the correct scope is used. If not, an existing Owner/User Access Administrator at that scope must first grant the necessary role.

References:

Share via

Error granting reader role on an Enterprise policy

1 answer

Your answer