Azure: I don't have permissions, but I am Owner

Question

I've been added to a RG as owner in a subscription outside på company. Navigating to the Access contol (IAM) of the RG and clicking "View my access". clearly says "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.":

But I can not create any resources w/o getting:

The client 'mikael.hakansson@xxx.com' with object id 'xxx' does not have authorization to perform action 'Microsoft.Storage/register/action' over scope '/subscriptions/xxx' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed) (Code: AuthorizationFailed)

Neither can I view Role assignments: "You do not have permissions to read this directory. Contact a Global Administrator and have them assign you the Directory Readers role in Azure Active Directory."

Thank you for any input

You have to be the owner of subscription , but you have only owner role assigned to resource group. — Ansuman Bal, Feb 07 '22 at 17:58
When you grant owner access on resource group ,you will see scope as this resource but when you add owner in subscription ,once you open the resource group you will see subscription (inherited). — Ansuman Bal, Feb 07 '22 at 17:59
If you want to create resources in the subscription/resource group at least you need to have contributor/owner access in subscription . As having owner level access on resource group will not grant you to access the resource providers in the subscription. — Ansuman Bal, Feb 07 '22 at 18:03

score 3 · Answer 1 · edited Nov 13 '22 at 05:32

As I have mentioned in comments , The Owner Role that you have assigned to is in for the resource Group as its showing This Resource. If it was assigned to Subscription then it would have been seen as Subscription(Inherited) in the resource group level.

Example:

The client 'mikael.hakansson@xxx.com' with object id 'xxx' does not have authorization to perform action 'Microsoft.Storage/register/action' over scope '/subscriptions/xxx' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed) (Code: AuthorizationFailed)

Coming to the above error , its because you have permission on only resource group level. You need to have access on Subscription level which may be Owner/Contributor to create resources. As When you are creating resources Azure API registers that resource provider on subscription and gets a token on your user to create a resource for that resource provider in any resource group on the subscription , if you don't have proper permissions on subscription then it fails to register the resource provider and get the token on your name and returns an error.

The important part here, however, is, that once the resource provider is registered, owner on the resource group *will* be enough to create the resource there. So the solution shouldn't be to ask for the permission on the subscription level, but to ask the administrator to register that resource provider. — Jan Hudec, Aug 30 '22 at 16:09

score 1 · Accepted Answer · answered Aug 30 '22 at 16:07

Every type of resource you should be able to create at the subscription level has to have its resource provider registered. This is done in the subscription level (in the resource providers tab in portal; see https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types)

When the resource provider is registered, Owner or Contributor to a resource group can create that type of resource in the resource group.

However, only the subscription owner can register the resource. It complains about Microsoft.Storage/register/action not being permitted when you try to create a storage account, but the Microsoft.Storage provider is not registered. Once the subscription administrator registers Microsoft.Storage, you should be able to create storage accounts in that resource group with only permissions to that resource group.

Azure: I don't have permissions, but I am Owner

2 Answers2