I can't create a Resource Management Private Link even when I have the global administrator role and the User Acess Administrator and Owner of the Resource Group.

Question

Hi, I was told by Microsoft Support to create a post here in order to help me solving the issue I'm having with Azure Storage.

Since English is not my native language I apologize for any inconsistences written here, I'm avaliable to clarify any miss understandings that may happen.

I spent the last days trying to understand why I'm being denied to create a Resource Management Private Link even when I have all the necessary permissions(that I'm aware of), after some chat with the support that verified I'm using the correct roles, I don't acctually know what to do here.

My user has the global admin role, Owner of the storage acount, Owner of the Resource group (Inherited), Owner of the Subscription (Inherited), User Access Administrator at Root (Inherited).
Before posting here the support asked me to create another user and give it the permissions to create the link, I tried that and the issue persists. As I said, according to Microsoft Support my roles are looking right and nothing unusual show up on logs.

When I try to create the private link, the following error shows up:

ERROR TYPE
The client 'myuser@Karima ben .com' with object id 'XXXXXXXXXXXXXXXXXXXXXXXX' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/providers/Microsoft.Management/managementGroups/XXXXXXXXXXXXXXXXXXXX-XXXXXXXXXXXX/providers/Microsoft.Resources/deployments/Microsoft.ResourceManagementPrivateLink-XXXXXXXXXXXX' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed)

I censored some info just to be sure, but if it's needed I can provide it.

Thank you.

Edit: I'm trying to use the Azure Storage, managing it through the portal.azure.com.

Answer 1

I was seeing the same error until I followed the steps in the documentation on resource management private links:

The Global Administrator for the Azure Active Directory doesn't automatically have permission to assign roles at the root management group. To enable creating resource management private links, the Global Administrator must have permission to read root management group and elevate access to have User Access Administrator permission on all subscriptions and management groups in the tenant. After getting the User Access Administrator permission, the Global Administrator must grant Owner or Contributor permission at the root management group to the user creating the private link association.

Once I changed my Azure Active Directory settings so that I had User Access Administrator role in the root scope and had added myself as owner to the management group, I was able to create a resource management private link.

My guess is that being owner of the resource group, rather than being a subscription/tenant owner, is the problem. The resource management private link changes permissions at the tenant level -- which is a level above resource groups.

Answer 2

Hi, Felipe.
From your answers so far, it seems like you should have all the permissions needed.

Would you be able to provide more details on the steps you've taken?
The Resource Management Private Link portal experience creates two resources during the create wizard. The resourceManagementPrivateLink resource only requires permissions at the subscription level, and the privateLinkAssociation resource requires permissions at the Root management group.
The Create wizard should verify your permission level before triggering a deployment. Is the wizard failing, or is your deployment failing?