question

CJEdwards-7695 avatar image
0 Votes"
CJEdwards-7695 asked Kiwibayer answered

User doesn't have permission to create deployment ARM template in Azure

Using the 'Deploy to Azure' ARM template link from: https://github.com/Azure/Enterprise-Scale/tree/main/docs/reference/contoso

Getting the errror:
The client 'live.com# target="_blank" href="mailto:xxx@gmail.com" title="Email xxx@gmail.com">xxx@gmail.com' with object id 'f7fb63c8-c4e1-4c28-89bb-a155fde3f5f9' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/providers/Microsoft.Resources/deployments/NoMarketplace-20210129014453' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed)

azure-cloud-services-extended-support
· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Please have a look at this blog post and see if it solves your problem
https://www.techielass.com/error-when-deploying-an-azure-landing-zone-template/

1 Vote 1 ·

@CJEdwards-7695 Can you help me understand what is the current permission or role your account has over subscription?

Thanks

0 Votes 0 ·

I have the following default roles on the free subscription:

Owner
Resource Policy Contributor
User Access Administrator

I created a custom role named 'Deployment Admin' to grant myself the following permissions to the subscription:
Microsoft.Resources/deployments/read
Microsoft.Resources/deployments/write
Microsoft.Resources/deployments/delete
Microsoft.Resources/deployments/cancel/action
Microsoft.Resources/deployments/validate/action
Microsoft.Resources/deployments/whatIf/action
Microsoft.Resources/deployments/exportTemplate/action
Microsoft.Resources/deployments/operations/read
Microsoft.Resources/deployments/operationstatuses/read
Microsoft.Resources/deploymentScripts/read
Microsoft.Resources/deploymentScripts/write
Microsoft.Resources/deploymentScripts/delete
Microsoft.Resources/deploymentScripts/logs/read

I'm also a Global Administrator in Azure AD

0 Votes 0 ·

@CJEdwards-7695 It seems like you do have required permissions. As this issues need more investigation and live troubleshooting for quicker resolution I would recommend you to contact azure support. If you have a support plan, requesting you to file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

0 Votes 0 ·

Hi all,

for anybody having the same issue.

@jimbritt provided the correct answer:
Follow the instructions on: https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md

which state that you need to:
1. Elevate Access to manage Azure resources in the directory
2. Grant Access to User at root scope "/" to deploy Enterprise-Scale reference implementation

this is due to Enterprise Scale requiring permission at tenant root scope "/" to be able to configure Management Group and create/move subscription. In order to grant permission at tenant root scope "/", users in "AAD Global Administrators" group can temporarily elevate access, to manage all Azure resources in the directory.

0 Votes 0 ·
DanielVillamizar avatar image
1 Vote"
DanielVillamizar answered

As a Global Administrator in Azure Active Directory (Azure AD), you might not have access to all subscriptions and management groups in your directory.

f you are a Global Administrator, there might be times when you want to do the following actions:

Regain access to an Azure subscription or management group when a user has lost access
Grant another user or yourself access to an Azure subscription or management group
See all Azure subscriptions or management groups in an organization
Allow an automation app (such as an invoicing or auditing app) to access all Azure subscriptions or management groups.

Please into Elevate access for a Global Administrator here:


https://docs.microsoft.com/es-es/azure/role-based-access-control/elevate-access-global-admin

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JasonHyland-8649 avatar image
0 Votes"
JasonHyland-8649 answered

Appears you also need to assign role;

az role assignment create --scope '/' --role 'Owner' --assignee-object-id $(az ad user show -o tsv --query objectId --id '<replace-me>@<my-aad-domain.com>'

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jimbritt avatar image
0 Votes"
jimbritt answered

Please see the following article that explains the required configuration setup for Azure permissions before you can move forward on this deployment. They detail out the step by steps for configuring Azure permissions for ARM tenant deployments.


https://docs.microsoft.com/en-us/answers/questions/250370/user-doesn39t-have-permission-to-create-deployment.html

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sudlo avatar image
0 Votes"
sudlo answered

Even i have the required permission, i am really not sure what is happening..

I am trying to use the following example.. https://github.com/Azure/Enterprise-Scale/tree/main/docs/reference/contoso

122822-image.png




any idea


image.png (25.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jimbritt avatar image
1 Vote"
jimbritt answered

Apologies, somehow my link didn't come through when I posted earlier. Has everyone followed this process to ensure you are setup properly?

https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Kiwibayer avatar image
1 Vote"
Kiwibayer answered

Hi all,

for anybody having the same issue.

@jimbritt provided the correct answer:
Follow the instructions on: https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md

which state that you need to:
1. Elevate Access to manage Azure resources in the directory
2. Grant Access to User at root scope "/" to deploy Enterprise-Scale reference implementation

this is due to Enterprise Scale requiring permission at tenant root scope "/" to be able to configure Management Group and create/move subscription. In order to grant permission at tenant root scope "/", users in "AAD Global Administrators" group can temporarily elevate access, to manage all Azure resources in the directory.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.