question

RabiaMehta-7029 avatar image
0 Votes"
RabiaMehta-7029 asked RabiaMehta-7029 commented

User don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action

Whenever a new user added to the directory tries to deploy custom azure templates, they get the following validation error - User don't have authorization to perform action 'Microsoft.Resources/deployments/validate/action

Following roles are already granted -
1. Global Administrator access in Azure AD
2. Owner role assignment at the subscription level
3. Contributor access at management Group level

Also, tried elevating access but still facing same issue.

azure-ad-tenantazure-rbac
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT avatar image
2 Votes"
MarileeTurscak-MSFT answered RabiaMehta-7029 commented

If you have already elevated the access and granted the Owner role, another thing to confirm is that you have granted permission to do ARM template deployment at the tenant root (/) scope and completed the prerequisites described here: https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

when i am trying to create owner role at root (/) scope with command -
az role assignment create --role 'Owner' --scope '/' --assignee-object-id <user-object-id>,
, following error is appearing -
The request did not have a subscription or a valid tenant level resource provider.

How can this be fixed ?



0 Votes 0 ·

Thanks, @MarileeTurscak-MSFT,
This is issue was solved using PowerShell command instead of CLI command

Powershell Command - New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId <obj-id>

1 Vote 1 ·
omarjg avatar image
0 Votes"
omarjg answered

Hi @MarileeTurscak-MSFT ,

Following the steps here: https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md

I was able to complete step 1 but step 2 is not working:

PS /home/omar> Set-AzContext -Tenant 'xxxxx-xxxx-xxxx-95bxxxx9-cc176afb6e2a'

Name Account SubscriptionName Environment TenantId


Visual Studio Enterprise Subscription (… xxxx@gmail.com Visual Studio Enterprise… AzureCloud xxxx-xxxx-xxxx-95bxxxx9-cc176afb6e2a

PS /home/omar> $user = Get-AzADUser -UserPrincipalName (Get-AzContext).Account
PS /home/omar> New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id
New-AzRoleAssignment: Cannot validate argument on parameter 'ObjectId'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.