Deployment problems - AuthorizationFailed

Question

Deployment problems - AuthorizationFailed

Artif3xx opened this issue 5 months ago · 5 comments

Let us know the feedback or general question

I am having problems creating management groups as described in the first point in the deployment flow. I would like to create Management Groups to be able to work with Landing Zones. However, I get an AuthorizationFailed error:

{"code": "AuthorizationFailed", "message": "The client 'live.com#User@User.com' with object id '00000000-0000-0000-0000-000000000000' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/providers/Microsoft.Resources/deployments/alz-MGDeployment-20240801T150123128786706Z' or the scope is invalid. If access was recently granted, please refresh your credentials."}

However, I have the appropriate owner rights to be able to create the groups.

az role assignment list --assignee User_User.com#EXT#@User.onmicrosoft.com

output:

  {
    "condition": null,
    "conditionVersion": null,
    "createdBy": "00000000-0000-0000-0000-000000000000",
    "createdOn": "2024-07-11T14:02:09.536523+00:00",
    "delegatedManagedIdentityResourceId": null,
    "description": null,
    "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000",
    "name": "00000000-0000-0000-0000-000000000000",
    "principalId": "00000000-0000-0000-0000-000000000000",
    "principalName": "User_User.com#EXT#@User.onmicrosoft.com",
    "principalType": "User",
    "roleDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000",
    "roleDefinitionName": "Owner",
    "scope": "/subscriptions/00000000-0000-0000-0000-000000000000",
    "type": "Microsoft.Authorization/roleAssignments",
    "updatedBy": "00000000-0000-0000-0000-000000000000",
    "updatedOn": "2024-07-11T14:02:09.536523+00:00"
  }

Updating my account credentials with az account clear && az login did not change anything either.

It is not clear to me what I need to be able to execute the corresponding template files. Does anyone have any idea what the error is or what I can do about it?

I use a Visual Studio Enterprise subscription and am a registered account admin.

Many thanks in advance

Code of Conduct

I agree to follow this project's Code of Conduct

Answer 1 · 2024-08-01T14:00:42.000Z

Even if I create an ARM template with az bicep build, I cannot use it in the Azure Portal with the custom deployment method.

Answer 2 · 2024-08-01T17:30:32.000Z

Hey @Artif3xx, the permissions at the root tenant level can be a bit finicky. Try going through these steps and let me know if this helps!

Answer 3 · 2024-08-05T09:40:41.000Z

Thank you @oZakari for the step by step instructions. I was able to run the scripts in the VS Enterprise subscription and create the landing zones.

However, the step-by-step instructions did not work in every tenant. In addition to the test licence, I am also using a production tenant where I want to set up the landing zone architecture. Although I have followed the steps described, I am still experiencing the same authentication problems as above.

Answer 4 · 2024-08-06T03:10:25.000Z

Hi @Artif3xx, when running the scripts in your organization's tenant, I assume the scripts errored out due to limited access you or the team member running the script had?

If you are not able to get tenant root access from your team, you can also try using the managementGroupsScopeEscape.bicep.

Answer 5 · 2024-08-13T18:57:45.000Z

Closing for now, but feel free to reopen or respond back if you are still running into issues.