FIX - You don’t have authorization to perform action ‘Microsoft.Resources/deployments/validate/action’ - While Deploying Azure Landing Zone

Deploying an Azure Landing Zone, particularly the Enterprise Scale Landing Zone, can hit roadblocks, presenting an error message like:

"You don’t have authorization to perform action ‘Microsoft.Resources/deployments/validate/action’."

This issue commonly arises due to default permissions limitations, where having Owner rights on an Azure subscription or being a Global Administrator doesn’t automatically grant privileges to assign rights at the root ‘/’ tenant level. This limitation prevents the creation of new Management Groups or moving subscriptions between them.

However, there's a solution—users with the Global Microsoft Enterprise Identity (Entra ID) role can elevate their rights to overcome this hurdle. The process involves several steps, including utilizing Azure PowerShell to assign the necessary rights.

Here's a step-by-step guide for users with Global Administrator rights:

Enabling Elevated Rights:

  1. Sign in to the Azure Portal.
  2. Access the Microsoft Enterprise Identity.
  3. Click on "Properties."
  4. Toggle the ‘Access management for Azure resources’ to ‘Yes’ and Save.
  5. Open PowerShell and execute the following commands:


    Log in with your account and ensure you are in the correct directory (use Connect-AzAccount -TenantId 'tenantidhere' if needed).


    Copy the ID of your logged-in user and execute:

    $user = Get-AzADUser -ObjectId <userObjectId>
  6. With the user ID stored in a variable, assign the rights:

    New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id

Allow Microsoft Enterprise Identity 10-15 minutes to replicate the Azure AD changes. Log out and back in to see the changes and proceed to deploy the Landing Zone.

Important Note:

After the successful deployment, it's crucial to revert the toggle to ‘Allow management of Azure resources’ to ‘No’. Failing to do so will allow all Global Administrators of Microsoft Enterprise Identity to manage all Azure resources.

Post Deployment Maintenance:

Once the Landing Zone is deployed, it's advisable to remove your role assignment at the root level using:

Remove-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id

By following these steps, you can elevate permissions and resolve authorization errors encountered during the deployment of an Azure Landing Zone, ensuring a smooth and secure setup.

Post a Comment

Previous Post Next Post