User does not have access Microsoft.Subscription/aliases/read over scope providers/Microsoft.Subscription/aliases/

Vish 31 Reputation points
2021-10-26T16:44:59.65+00:00

Trying to grant access to SPN to be able to read/write to subscription alias When creating a SPN as Contributor or even Owner it does not have access to a subscription alias

Using my ID - account@keyman .com as a Global Admin for AAD and an Owner of the Subscription I can create an alias for the subscription.

--Create subscription alias
az account alias create --name “testsub100” --subscription-id "xx2fe59e66-xxxx-yyyy-zzzz-eaf123456789"

--Then create a SPN
az ad sp create-for-rbac --name

Microsoft Entra
0 comments
Accepted answer
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2021-10-26T22:27:41.853+00:00

    Hi @Vish ,

    The error message means that you need to assign the "Reader" role at the /providers/Microsoft.Subscription scope

    To resolve this, do the following:

    1. Make sure this setting (https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#azure-portal) is turned on so all Global Admins in the tenant have "User Access Administrator" permissions at the "/" scope
    2. Using a Global Admin of the AAD tenant, connect using the Az module and assign permissions to the service principal like this: Connect-AzAccount -Tenant xxxxxxxx $sp = Get-AzADServicePrincipal -DisplayName "appdisplayname" New-AzRoleAssignment -ObjectId $sp.Id -Scope /providers/Microsoft.Subscription -RoleDefinitionName "Reader"
    3. Then retry the operation with the service principal.

    Let me know if this helps resolve the issue.

    Thanks,

    Marilee

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Igła Jakub 1 Reputation point
    2022-06-10T17:12:59.05+00:00

    The account aliases functionality is absolutely ridiculous.

    I created a subscription via service principal (using Terraform) in the management group, which I am an Owner.
    I have Owner role and I'm a classic administrator of this subscription.

    But when I run "az account alias list " I don't see this subscription and when trying to run Terraform (let's say for drift detection) from my account I get:
    "User does not have access Microsoft.Subscription/aliases/read over scope providers/Microsoft.Subscription/aliases/xxx"

    This doesn't make any sense

  2. Derrick Baxter 6 Reputation points Microsoft Employee
    2023-08-22T14:39:23.5566667+00:00

    While you are getting a read error - you may be able to use Reader/Contributor instead of Owner but can try lower level permissions and work up until the command completes.

    From the error you get use az powershell module and assign directly the user/spn the owner role to the alias.
    User's image

    connect-azaccount
    Try
    new-azroleassignment -scope /provider/microsoft.subscription/aliases/<alias> -roledefinitionname "Reader"
    new-azroleassignment -scope /provider/microsoft.subscription/aliases/<alias> -roledefinitionname "Contributor"
    If they do not work then use Owner
    new-azroleassignment -scope /provider/microsoft.subscription/aliases/<alias> -roledefinitionname "Owner"

    rerun the command/terraform script
    User's image

    0 comments