Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
486 questions
Urgent Issue with Role Assignment in Azure – "MissingSubscription" Error
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 76%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
nehad shmale
0
Reputation points
Issue: Unable to Assign Role to ACR - MissingSubscription Error
Problem Description:
I encountered an issue while trying to assign the AcrPull role to a service principal for my Azure Container Registry (ACR). Every time I run the following command:
az role assignment create \
--assignee
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 63%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Pradeep Kommaraju 390 Reputation points Microsoft Employee2025-03-04T07:47:09.85+00:00 Hello
Thanks for reaching out to Microsoft Q and A Forum ,
The MissingSubscription error typically occurs when the Azure CLI cannot determine the active subscription. Try the following steps to resolve it:
- Ensure You're Logged In:
Run:
az login- Set the Correct Subscription:
az account set --subscription <subscription-id>- Verify the Subscription:
az account show --output table- Check Role Assignment Scope:
Ensure the correct scope is used:
az role assignment create --assignee <assignee> --role AcrPull --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ContainerRegistry/registries/<registry-name>- Verify Service Principal Permissions:
Ensure the service principal has the right permissions to assign roles.
If the issue persists, try running the command with
--debugto check detailed logs or consider re-authenticating withaz login --identityif using a managed identity.If your issue is resolved please do accept this answer . Also don't hesitate to ask if you have any further questions
Thanks,
Pradeep -
nehad shmale 0 Reputation points
2025-03-04T16:44:21.8733333+00:00 Hello,
Thank you for your response. However, I have already tried all the steps mentioned, and the issue persists. Here’s what I have done so far:
1.Verified that I am logged in:
az login
az account set --subscription <subscription-id>
az account show --output table
- My subscription is active and set as default.
2.Checked role assignments:
az role assignment list --assignee $(az ad signed-in-user show --query id -o tsv) --output table
· My user account has Owner and User Access Administrator roles.
· I also tried assigning the AcrPull role to a Service Principal via CLI, but I still get the same MissingSubscription error.
3.Manually assigned the role via Azure Portal:
· I assigned the AcrPull role manually to the Service Principal via Azure Portal.
· Waited for approximately 1.5 hours, but the issue persists.
4.Tried re-authenticating & debugging:
· Logged out and back in using az logout && az login.
· Ran the command with --debug but didn't find anything unusual.
· Used az login --identity but still facing the same issue.
5.Manually created a Kubernetes Secret for ACR authentication:
kubectl create secret docker-registry acr-secret \
--docker-server=<acr-name>.azurecr.io \
--docker-username=<acr-username> \
--docker-password=<acr-password>
Even after this, I cannot pull images from ACR.
Questions:
- Could this be a Tenant-level restriction issue preventing role assignments?
- Is there a known RBAC delay that might be causing this?
- How can I troubleshoot this further to identify the root cause?
Any insights from Microsoft support would be highly appreciated.
Thanks!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 53%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPY%3C/text%3E%3C/svg%3E)
Pramidha Yathipathi 0 Reputation points Microsoft External Staff2025-03-06T01:27:56.7233333+00:00 Hi nehad shmale,
Just checking in to see if you had a chance to review the comment on your question. Please let us know if it was helpful and feel free to reach out if you have any further queries. If you found the information useful, please click "Upvote" on the post to let us know.
Thank You.
-
Pramidha Yathipathi 0 Reputation points Microsoft External Staff
2025-03-07T03:10:31.13+00:00 Hi nehad shmale,
- Verify Tenant-Level Restrictions
Since the “MissingSubscription” error persists even with correct role assignments, it’s possible that Tenant Restrictions or Azure Policies are preventing role assignments.
Check Azure Policies:
Run the following command to see if any policies might be blocking role assignments:
az policy assignment list --output tableIf a policy is preventing role assignments, it should appear here.
Check Tenant-Wide Subscription Access:
az account list --output tableIf the subscription does not appear, the account might not have access at the tenant level.
Confirm Role Assignments at the Tenant Level:
Try explicitly assigning the AcrPull role at the tenant scope:
az role assignment create --assignee <service-principal-id> --role AcrPull --scope /providers/Microsoft.Management/managementGroups/<management-group-id>If the command fails, there may be Tenant-Level RBAC restrictions in place.
- Confirm Subscription Ownership & RBAC Permissions
Even though the user has Owner and User Access Administrator roles, there may be Conflicting RBAC Settings at a higher level (Management Groups or Tenant Level).
Check If Subscription is Linked to the Tenant:
az role assignment list --all --assignee <service-principal-id> --output tableEnsure that AcrPull is listed with the correct scope.
Explicitly Assign Subscription Access:
Try explicitly assigning the role at the subscription level instead of the ACR level:
az role assignment create --assignee <service-principal-id> --role AcrPull --scope /subscriptions/<subscription-id>If this works, there may be a role inheritance issue with the ACR resource.
- Confirm ACR Authentication & Firewall Settings
If the role assignment looks correct but image pull still fails, check if network security rules or firewalls are blocking the service principal.
Check ACR Firewall Restrictions:
az acr show --name <registry-name> --query "networkRuleSet"If allowAzureServices is false, enable it:
az acr update --name <registry-name> --public-network-enabled trueEnable Diagnostics to Capture Logs:
az monitor diagnostic-settings create \ --name "ACRDiagnostics" \ --resource /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ContainerRegistry/registries/<registry-name> \ --logs '[{"category": "ContainerRegistryLoginEvents", "enabled": true}]'If the issue persists, the best course of action is to open a Microsoft Azure Support Ticket:
Collect debug logs
az role assignment create --assignee <service-principal-id> --role AcrPull --scope /subscriptions/<subscription-id> --debug > debug.logPlease provide Error Details & Subscription ID.
Request an Investigation for Potential Tenant-Level Restrictions.
If you found the information useful, please click "Upvote" on the post to let us know.
Sign in to comment
Sign in to answer