Azure Owner Role cannot create Resource Group

1
votes

I am assigned an owner role in my Employer's Azure subscription. He was able to create resource groups, but I can't. We're both wondering why since I was already assigned as Owner, the highest role aside from subscription level.

When I try the az group create --name myGroup -l southeastasia command, its response is

The client 'live.com#<myAccount>@outlook.com' with object id '<object ID>'
does not have authorization to perform action 'Microsoft.Resources/subscriptions/
resourcegroups/write' over scope '/subscriptions/<subscription>/resourcegroups/<myGroup>'.

Edit: I have no subscription level resources Azure Resources

3
azureazure-cliazure-resource-group
Hi, if you use this account to login Azure Portal, could you create a resource group. Could you see subscriptions in Portal?Shui shengbao
I can see the Subscriptions blade in the portal but I'm unauthorizedJohnStephen.19
I suggest you could re-assign Owner role with your employer's account. If possible, could you show error screenshot.Shui shengbao
Also, if possible, you could create a sp to create resource group and resources. See my answer.Shui shengbao
You should see your subscription like this imgur.com/a/6XKEVShui shengbao

3 Answers

2
votes

Do you have multiple subscriptions in your tenant? If yes, you should set it.

##list subscription
az account list --output table

##change the active subscription
az account set --subscription "My Demos"

If you only have a subscription, I suggest you could create a sp, then use the sp to create a new resource group. See this link.

Update:

You should give Owner role on subscription level, according to your screenshot, you give Owner role on resource group role, you only create resources in the resource group. You also could not create new resource group. You should give Owner role to your subscription,like below:

enter image description here

1
votes

Note: This issue is more likely to happen in newer subscriptions and usually happens if a certain resource type has never been created before in that subscription.

Subscription admins often fix this issue by granting resource group owners contributor rights on the subscription level which contradicts with their strategy of isolating access down to the level of resource group level not the subscription level.

For root cause and quick resolution, refer "Common problem when using Azure resource groups & RBAC".

0
votes

Well, the error clearly says you dont have rights over the scope, so you are either owner of the wrong sub or you have a role that specifically restricts that.